In its monthly Patch Tuesday release, Microsoft has patched five zero-day vulnerabilities and is now bundling all uploads into one, no longer allowing users to pick and choose which updates they would like to install.
A total of ten security updates were released affecting Browsers, Office, GDI, Kernel Drivers, Registry, Messaging and also update for Adobe Flash.
This month's patch bundle includes fixes for five separate zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products.
Amol Sarwate, director of Vulnerability Labs at Qualys said: “What's interesting is that five updates have at least one vulnerability each which a fixes a zero-day. These are the vulnerabilities that are already actively exploited in the wild.”
The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126.
Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft.
The vulnerabilities are:
CVE-2016-3298: An Internet Explorer zero-day flaw, a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to "test for the presence of files on disk."
Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a “GooNky”infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.
The researchers said: “Threat actors, particularly those in the AdGholas and GooNky groups, continue to look for new means to exploit browser flaws. More importantly, though, they are turning to flaws that allow them to focus on "high-quality users", specifically consumers rather than researchers, vendors, and sandbox environments that could detect their operations. Information disclosure vulnerabilities like CVE-2016-3298 described here and the previously discussed CVE-2016-3351 allow actors to filter based on software and configurations typically associated with security research environments.”
CVE-2016-7189: A zero-day in the browser's scripting engine, patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.
CVE-2016-3393: A zero-day in Microsoft Windows Graphics Component in MS16-120. This could be exploited over the web, an email containing malicious file or over a file-sharing app, which facilitates a remote code execution attack.
CVE-2016-7193: A zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.
CVE-2016-3298: A zero-day patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.
CVE-2016-0142: A remote code execution flaw rated critical is MS16-122 that patches a remote code execution flaw in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email.
The rest of the bulletins are rated important or moderate, including MS16-123, MS16-124 and MS16-125, patches five elevation of privilege vulnerabilities in Windows Kernel-Mode, four elevation of privilege vulnerabilities in Windows Registry, and an elevation of privilege flaw in Windows Diagnostics Hub respectively.Adobe also released a new version of Flash Player that patched 12 vulnerabilities in its software, most of which were remote code execution flaws. They also published fixes for 71 CVE-listed security flaws in Acrobat and Reader, along with a fix for a single elevation of privilege bug in Creative Cloud.