Microsoft has fixed five “zero-day” flaws with its latest Patch Tuesday updates released today (April 13), including one that is actively being exploited “in the wild.”
That flaw under active attack is a local escalation of privilege — it gives a local user more power over the system than the user is supposed to have — and hence is classified as “Important” but not “Critical.”
To pull off this attack, an attacker would need direct access to a Windows computer, be able to trick a legitimate user into triggering the exploit or possibly use malware that was already installed on a machine. It affects all versions of Windows 10.
Nevertheless, to inoculate your machine against this flaw and other newly disclosed vulnerabilities, run Windows Update when your system notifies you that an update is ready.
It’s deemed a “zero-day” flaw because it was known of and exploited before Microsoft had a chance to fix it.
The vulnerability was discovered by Boris Larin of Kaspersky, who in a blog post described its related exploit as “an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access.”
In other words, it’s part of a multi-stage attack chaining together several system and browser flaws. Larin said the flaw is being used by a state-sponsored hacking group that other researchers have linked to the government of India.
The other four zero-day flaws were, as Microsoft oddly put it, “publicly exposed but not exploited.” That seems to imply that other parties noticed the flaws but did not abuse them.
All four of these are deemed “Important” or “Moderate,” meaning there is little risk of remote code execution, i.e. successful attacks over the internet.
There were several remote-code-execution flaws fixed with this month’s round of updates. The most crucial, both deemed “Critical,” include two flaws in Windows Media Video Decoder.
Both work on Windows 7, 8.1 and 10 alike. The fact that Microsoft is including fixes for Windows 7 more than a year after the end of official support indicates that these vulnerabilities are pretty severe.
As Microsoft explains, “an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability.”
“However, an attacker would have no way to force the user to visit the website,” Microsoft adds. “Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
These remote-code-execution flaws are not “zero-day” ones in that Microsoft fixed them before bad guys could start using them. However, now that the secret is out, expect malicious websites to start abusing them in a matter of days.
“Patch Tuesday” is the unofficial name given to the second Tuesday of any given month, when Microsoft, Adobe and other companies release scheduled fixes for security flaws.