Microsoft Patches Vulnerabilities

Monday, May 16, 2016 @ 06:05 PM gHale


Microsoft released 16 security bulletins to patch more than 30 vulnerabilities last week.

The flaws have been addressed by Microsoft in two separate critical bulletins.

RELATED STORIES
Microsoft Patches Office 365
XSS Filter Bypass in Edge
Flash Zero Day Patched
Adobe Patches Flaw in Flash Library

One of them, MS16-053, fixes the actual vulnerabilities, which affect the JScript and VBScript scripting engines in Windows. These security holes, tracked as CVE-2016-0187 and CVE-2016-0189, can end up used for remote code execution.

Since the vulnerabilities can end up exploited via Internet Explorer, Microsoft released a separate bulletin, MS16-051, for the web browser.

The software giant said MS16-051 protects systems running Internet Explorer 9, 10 and 11, while MS16-053 addresses the vulnerabilities on systems running Internet Explorer 7 and earlier.

Symantec said attackers exploited these flaws in limited targeted attacks aimed at South Korea, where Internet Explorer is popular. Attackers likely delivered the exploit via spear-phishing emails or compromised websites, Symantec researchers said.

The exploit landing page hosts JavaScript code designed to profile the user’s computer and deliver the actual exploit in an obfuscated VBScript file. The exploit ended up used to download a malicious file from a Korean website, but Symantec said the final payload is currently unknown.

Another critical bulletin released by Microsoft Tuesday addressed several remote code execution vulnerabilities in Edge running on Windows 10.

An attacker can exploit the flaws by getting the victim to access a specially crafted webpage.

A bulletin that addresses vulnerabilities in Office has also been rated critical. Attackers could leverage these for remote code execution via a specially crafted Office file.

The other critical and important updates patch various security holes affecting Windows components, including the graphics component, Journal, Windows Shell, IIS, Media Center, Kernel-Mode and Volume Manager drivers, and Virtual Secure Mode.

An important update for the .NET Framework addresses a TLS vulnerability (CVE-2016-0149) already publicly disclosed.