Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT

Microsoft also fixes 48 other security bugs, 18 of which are rated "Critical."
Written by Catalin Cimpanu, Contributor

he Microsoft October 2018 Patch Tuesday security updates contain a fix for a Windows zero-day that was exploited in the wild by a nation-state cyber-espionage group known as FruityArmor, ZDNet has learned.

The group has been active since at least 2016, and this is the third zero-day they've deployed in the wild.

The group was first seen utilizing a zero-day (CVE-2016-3393) in the Windows Graphics Device Interface (aka GDI or GDI+) component in October 2016, and then a second zero-day (CVE-2018-5002) in the Adobe Flash Player in June 2018.

The third zero-day (CVE-2018-8453), the one patched this month, affects the Windows Win32k component, and its use was detected by Moscow-based cyber-security firm Kaspersky Lab back in August. Just like the previous Flash zero-day, this was was also used to go after targets located in the Middle East, Kaspersky said in a report.

But this third zero-day isn't as dangerous as the first two, which allowed remote and arbitrary code execution, respectively.

This third zero-day is only an elevation of privilege, meaning FruityArmor has to infect systems through other means before using their latest exploit. Nonetheless, once it infects a host, CVE-2018-8453 would allow an attacker to elevate his access from a simple guest user and run code in kernel mode.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in an advisory today.

Fixes for this zero-day have been made available for all supported versions of Windows.

The fixes are part of Microsoft's monthly security updates --known as the Patch Tuesday updates. This month, Microsoft has patched 49 vulnerabilities across mainstream products such as Windows, Edge, Internet Explorer, Office, Exchange Server, and .NET Core.

Of the 49 patches this month, 18 were classified with a "critical" severity marking. The zero-day received an "important" classification because it didn't leak to direct compromise.

ZDNet has summarized today's Patch Tuesday release in an HTML table, hosted here. The Trend Micro Zero-Day Initiative has also published an analysis of today's patches.

More information is also available on Microsoft's official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.

Adobe has, too, released security updates today, but just like in October 2017, this month, the company did not patch any Flash vulnerabilities.

Article updated on October 10 with link to Kaspersky technical report on the zero-day's capabilities.

Previous coverage:

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards