Fly On Wall Street

Microsoft patches Windows zero-day used by multiple cyber-espionage groups

Microsoft released today its monthly roll-up of security patches known as Patch Tuesday. This month, the Redmond-based company has fixed 62 security flaws.

Among the 62 fixes, there is also a fix for a zero-day vulnerability that was under active exploitation before today’s patches were made available.

ZERO-DAY EXPLOITED BY MULTIPLE APTS

The zero-day, tracked as CVE-2018-8589, impacts the Windows Win32k component. Microsoft classified the issue as an “elevation of privilege” vulnerability and says that before an attacker could use this zero-day to gain elevated privileges, they’ll need to find a way to infect a system and run malicious code on it beforehand, using other exploits.

Microsoft credited Kaspersky Lab researchers for discovering this zero-day. A Kaspersky spokesperson told ZDNet that they discovered the zero-day being exploited by multiple cyber-espionage groups (APTs).

The zero-day had been used to elevate privileges on 32-bit Windows 7 versions. The company plans to publish a blog post tomorrow morning, November 14, with more information about CVE-2018-8589 and the way it was exploited.

This is the second Windows elevation of privilege zero-day that Microsoft has patched in as many months, and both have been discovered by Kaspersky researchers.

Last month, Microsoft patched CVE-2018-8453, another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor.

WINDOWS DATA SHARING SERVICE ZERO-DAY NOT PATCHED

But what Microsoft has not patched this month is the zero-day that was disclosed on Twitter at the end of October –the one affecting the Windows Data Sharing Service (dssvc.dll).

It appears that Microsoft did not have enough time to put together a patch, have it tested, and delivered. Microsoft isn’t to blame here, as the company’s security engineers didn’t get a heads-up before the researcher published details about that zero-day on Twitter.

Instead, Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives (SSDs).

Earlier this month, Dutch researchers proved that it was possible to bypass BitLocker encryption on some SSDs and retrieve a user’s data without needing the (BitLocker) user-set password. The advisory will help users make sure their data is safe, even when stored on vulnerable internal or external SSDs.

The rest of this month’s security patches also address vulnerabilities in products such as Windows, Internet Explorer, Microsoft Edge, the ChakraCore JavaScript engine, .NET Core Framework, Skype for Business, Team Foundation Server, Microsoft Dynamics 365, Azure App Service on Azure Stack, Microsoft Office and Microsoft Office Services and Web Apps.

Twelve of the 62 November 2018 Patch Tuesday vulnerabilities have been categorized as Critical, needing immediate patches due to their severity.

ZDNet has put together a summary of today’s Patch Tuesday release in an HTML table, available online here.

More information is also available on Microsoft’s official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.

Besides releasing its November security updates, Microsoft today also re-released Windows 10 1809 and Windows Server 2019, after the company had hit some pretty big snags during last month’s initial rollout.

OTHER PATCH TUESDAYS

Earlier today, Adobe, too, has released security updates. This month, the company shipped fixes for the Adobe Flash Player, Adobe Photoshop CC, and Adobe Acrobat and Reader.

SAP has also been releasing security updates on the same day as Microsoft, and this month, the company has patched a serious vulnerability that received a CVSSv3 severity score of 9.9 out of 10.

Exit mobile version