Microsoft Releases Patches for Zero-Day Vulnerabilities

This month’s Patch Tuesday sees a total of 10 security bulletins, all of which come as a package to the user.

Microsoft’s new all-or-nothing patch model is out for the month of October. The controversial delivery method sees users unable to pick and choose individual patches, instead having to rely on a single payload to get critical and less-important updates at the same time.

October’s patch bundle includes fixes for several critical vulnerabilities. The affected programs include Internet Explorer, Microsoft Edge, Office and the Windows operating system itself. Notably, industry experts warn that these vulnerabilities have already been compromised in the wild.

Some of the major updates, all of which patch a vulnerability that could allow for a remote code execution, are as follows:

  • Cumulative Security Update for Internet Explorer (3192887)

This security update resolves vulnerabilities in Internet Explorer. If exploited, an attacker could gain the same user rights as the current user. Alarmingly, if the current user were the administrator of the system, the attacker would also gain the same rights. In essence, the attacker could install programs that could record keystrokes, screenshot the user’s activities, delete data or even create entirely new administrator accounts.

  • Cumulative Security Update for Microsoft Edge (3192890)

In this instance, a patch was issued for its Microsoft’s new mainstream browser, Edge. The exploit is triggered when an unsuspecting user views a specially crafted webpage using the browser. As with the previous vulnerability, this exploit would also enable attackers to gain administrator rights and privileges, if they successfully target a user who is also an administrator.

  • Security Update for Microsoft Office (3194063)

This update resolves – again – a remote code execution vulnerability in Microsoft Office. Specifically, when the Office software is unsuccessful in its handling of RTF files. An attacker could simply run arbitrary code in the context of the current user to compromise the system.

Microsoft also patched several other vulnerabilities that affected Adobe Flash Player for Windows 8.1, Windows 10 as well as Server 2012.

The entire list of patches and their details can be found here.

Image credit: Pixabay.