Microsoft has fixed five "zero-day" flaws in its latest Patch Tuesday update released today (April 13).
The flaw under attack is classified as "critical" but not "critical" because it is a local elevation of privilege, giving a local user more privileges over the system than that user is supposed to have. [For this attack to be successful, the attacker would need direct access to a Windows computer, trick a legitimate user into launching an exploit, or use malware already installed on the machine. This attack affects all versions of Windows 10.
Nevertheless, the best way to protect your machine from this flaw and newly disclosed vulnerabilities is to run Windows Update when the system notifies you that an update is ready.
It is considered a "zero-day" flaw because it was known and exploited before Microsoft had a chance to fix it.
The vulnerability was discovered by Boris Larin of Kaspersky, who in a blog post described the related exploit as "an elevation of privilege (EoP) exploit, which can be used in conjunction with other browser exploits to escape from the sandbox or to gain system privileges for further access."
In other words, this is part of a multi-stage attack that chains together multiple system and browser flaws. According to Larin, the flaw is being used by state-sponsored hacking groups that other researchers have linked to the Indian government.
The other four zero-day flaws are, as Microsoft oddly put it, "publicly disclosed but not exploited." This seems to mean that other parties were aware of the flaws but did not exploit them.
All four of these flaws are considered "critical" or "moderate," meaning that there is little risk of code being executed remotely, i.e., a successful attack via the Internet.
This month's update fixes several remote code execution flaws. The most significant are two flaws in Windows Media Video Decoder, both of which are "critical.
Both work equally well on Windows 7, 8.1, and 10. The fact that Microsoft has a fix for Windows 7 more than a year after the end of official support indicates that these vulnerabilities are quite serious. 21]
As Microsoft explains, "An attacker may be able to exploit the vulnerabilities by using a specially crafted file (or take advantage of a compromised website that accepts or hosts user-provided content)"
. [However, an attacker cannot force a user to visit a website. Instead, the attacker must persuade the user to click on a link, usually by an enticement in an email or instant messenger message, to open a specially crafted file." [These remote code execution flaws are not "zero-day" flaws in that Microsoft fixed them before the bad guys started using them. However, now that the secret is out, it is expected that malicious websites will begin exploiting this flaw within days.
"Patch Tuesday" is the unofficial name for the second Tuesday of each month when Microsoft, Adobe, and other companies announce fixes for security flaws.
Comments