Microsoft’s latest round of security patches contains a huge range of fixes for 74 vulnerabilities, and includes the resolution of a pair of zero-day flaws in Windows 10 which are currently being actively exploited.
That pair of worrying security holes (codenamed CVE-2019-0803 and CVE-2019-0859) are elevation of privilege vulnerabilities that pertain to Windows 7, 8, and 10, meaning that an attacker can potentially use them to do all sorts of nasty things to a victim’s PC.
As ZDNet reports, the problem revolves around the Win32k component improperly handling objects in memory, and when leveraged, this could allow a malicious party to view or delete data on the computer, or indeed install programs (such as malware) or create a new account with full user privileges.
That said, Microsoft also observes: “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”
In other words, the attacker does need access to the PC in the first place, although that could potentially be gained by a targeted malware attack. Given that antivirus maker Kaspersky discovered CVE-2019-0859, it seems a fair assumption that malware-watching is how it was spotted, and indeed Kaspersky has found a number of zero-day vulnerabilities in recent times which have seemingly been concocted by nation-state hacking organizations.
For example, in March, Kaspersky uncovered CVE-2019-0797, which the company noted was the fourth privilege escalation exploit recently detected by its systems. The security firm observed at the time that there were several known targeted attacks that made use of this exploit, which was patched by Microsoft in the same month of its discovery (and again, this one allowed the attacker to gain control over the PC).
Kaspersky also underlined that folks shouldn’t hang around when installing security updates such as these which are being actively exploited (it’s not uncommon to wait and see whether early adopters run into issues with security patches, or indeed any update, after all).
Other holes which are patched up in the bundle of 74 fixes include a trio of Microsoft Office Access Connectivity bugs – and a number of other Office flaws – along with a security update for Adobe Flash Player (surprise, surprise), as well as Microsoft’s Edge browser.