Microsoft's Patch Tuesday releases yesterday brought in fixes to a number of critical security flaws, some of them affecting Microsoft's crown jewel, Edge browser. Last night's update fixed 49 security vulnerabilities, including several rated critical. One of these is a zero day flaw in Internet Explorer that malvertising campaigns have already exploited to avoid automated analysis systems and researchers by testing "for the presence of files on disk."
Zero days already exploited in the wild - update Windows ASAP
Microsoft's October Patch Tuesday fixes dozens of critical flaws, including four that hackers have already exploited. The disclosure revealed that Tuesday's releases patch at least four zero day vulnerabilities. One of these includes an information disclosure problem in Internet Explorer (CVE-2016-3298).
The software giant explained that attackers can exploit this flaw to test for the presence of files on the disk by tricking users to access a specially crafted website. However, it does require an attacker to lure the target to a malicious website for this bug to work. Again, never click on suspicious links, folks.
Security researchers from Proofpont, who reported this problem to Microsoft, said that hackers have exploited the vulnerabilities in massive malvertising campaigns conducted by AdGholas and GooNky. First spotted in April, researchers saw these tricks working as part of GooNky's campaigns targeting users in France.
Hackers use Internet Explorer zero day flaw to avoid researchers
Researchers said information disclosure vulnerability enabled criminals to ensure that their campaigns don't reach out to systems that belong to security researchers to avoid detection. They used a so-called "MIME-type" check to determine if the target system stored a certain types of files, including file extensions such as .py, .pcap and .saz. These could have indicated that the system had some analysis software or was used by sophisticated users.
Threat actors... are turning to flaws that allow them to focus on "high-quality users", specifically consumers rather than researchers, vendors, and sandbox environments that could detect their operations.
Information disclosure vulnerabilities like CVE-2016-3298 described here and the previously discussed CVE-2016-3351 allow actors to filter based on software and configurations typically associated with security research environments. - Proofpoint
Microsoft patched CVE-2016-3351 mentioned in the excerpt above last month. It had affected both the Internet Explorer and Edge browsers.
Microsoft rolled out Tuesday's cumulative updates to all versions of Windows 10 addressing a total of 49 vulnerabilities within 10 security bulletins. Five bulletins are rated as critical and affect Microsoft Edge, Internet Explorer, Adobe Flash Player, Office, Windows, and Skype for Business. The company also fixed some critical flaws in Microsoft Edge, touted as the most secure browser by the company. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge," the bulletin reads. Exploiting this an attacker could gain the same user rights as the current user.
This month's cumulative build is a highly critical update. While some users have reported facing installation troubles, it is not a widespread issue. If you want to avoid being a victim of these malvertising campaigns, try to install the latest updates on your Windows systems right away.