Microsoft has issued security patches that fixed also the zero-day vulnerability exploited by Russian hackers.
One of the zero-days tracked as CVE-2016-7255 has been patched in the MS16-135 bulletin that also addresses two information disclosure and three privilege escalation vulnerabilities. The zero-day was exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.
Google has chosen to public disclose the flaw just 10 days after privately reporting it to Microsoft, giving the company a very little time to issue security updates.
According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.
Microsoft criticized the Google decision because the disclosure potentially puts customers at risk.
“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
According to Microsoft, the CVE-2016-7255 vulnerability had been exploited in a limited number of spear-phishing attacks powered by the Russian hacker group known as Pawn Storm, APT28, Fancy Bear, Sofacy, Sednit, and Tsar Team.
According to the security advisory issued by Adobe, the CVE-2016-7855 has been exploited in targeted attacks. The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.
The last Microsoft Patch Tuesday include a critical security bulletin MS16-132 that addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts.
The bulletin MS16-132 also fixed the remote code execution vulnerability (CVE-2016-7256) that according to Microsoft has been exploited in the wild via specially crafted websites or documents that victims must open in order to trigger the exploit.
The bulletin MS16-129 fixed other vulnerabilities, a browser information disclosure vulnerability (CVE-2016-7199) and the Edge spoofing flaw (CVE-2016-7209)
The complete list of Microsoft Security Bulletins for November 2016 is available here:
Adobe also issued security patches for 9 Flash Player flaws reported via ZDI.
(Security Affairs – CVE-2016-7255 , hacking)