Almost 50 vulnerabilities have been patched by Microsoft on October Patch Tuesday including one zero-day vulnerability that is being actively exploited in the wild by the FruityArmor APT group.
The zero-day (CVE-2018-8453) is linked to the Win32k component of Windows and is an elevation-of-privilege vulnerability discovered by Kaspersky Lab. If exploited, a threat actor could run arbitrary code in kernel mode and could create new accounts, install programs, or access, change or delete data. The flaw is present in all supported versions of Windows and Windows Server 2008, 2012, 2016 and 2019.
The FruityArmor threat group is based in the Middle East, which is where the attacks have so far been targeted. The group is known for using zero-day flaws for its attacks and has been targeting older version of Windows, although Microsoft has warned that the vulnerability could allow attacks on the latest Windows versions.
Kaspersky Lab notes that two years ago, on October Patch Tuesday 2016, Microsoft also patched a flaw that was being actively exploited by the FruityArmor group – CVE-2016-3393. Kaspersky Lab will publish further details of the flaw this week.
In total 49 vulnerabilities have been patched, 12 of which have been rated critical. One of those critical vulnerabilities, CVE-2010-3190 is eight years old and has been patched multiple times over the past eight years. The latest patch addresses the vulnerability in Exchange Server 2016. If exploited, it would allow an attacker to take full control of a vulnerable system. The other critical patches affect the Internet Explorer and Edge browsers, Hyper-V, and XML Core Services.
The latest patches also address three vulnerabilities that were publicly disclosed prior to patches being released: A flaw in the JET Database engine, Azure IOT, and Windows kernel. The patch for the JET Database Engine flaw is particularly important, as last month sample exploit code was also published along with details of the vulnerability. As a result, organizations were exposed for several weeks. It was a similar story in August when a vulnerability and proof of concept code was published online for a vulnerability in Windows task scheduler which also left Windows users vulnerable.
Most of the other patches in this round of updates were for Windows 10, the Edge browser, and associated Server versions.
Adobe has also released patches this week, which address 16 vulnerabilities including four critical flaws in Adobe Digital Edition. The critical flaws permit remote code execution, three of which are heap-overflow flaws and one is a use-after-free vulnerability.