he Microsoft October 2018 Patch Tuesday security updates contain a fix for a Windows zero-day that was exploited in the wild by a nation-state cyber-espionage group known as FruityArmor, ZDNet has learned.
The group has been active since at least 2016, and this is the third zero-day they've deployed in the wild.
The group was first seen utilizing a zero-day (CVE-2016-3393) in the Windows Graphics Device Interface (aka GDI or GDI+) component in October 2016, and then a second zero-day (CVE-2018-5002) in the Adobe Flash Player in June 2018.
The third zero-day (CVE-2018-8453), the one patched this month, affects the Windows Win32k component, and its use was detected by Moscow-based cyber-security firm Kaspersky Lab back in August. Just like the previous Flash zero-day, this was was also used to go after targets located in the Middle East, Kaspersky said in a report.
But this third zero-day isn't as dangerous as the first two, which allowed remote and arbitrary code execution, respectively.
This third zero-day is only an elevation of privilege, meaning FruityArmor has to infect systems through other means before using their latest exploit. Nonetheless, once it infects a host, CVE-2018-8453 would allow an attacker to elevate his access from a simple guest user and run code in kernel mode.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in an advisory today.
Fixes for this zero-day have been made available for all supported versions of Windows.
The fixes are part of Microsoft's monthly security updates --known as the Patch Tuesday updates. This month, Microsoft has patched 49 vulnerabilities across mainstream products such as Windows, Edge, Internet Explorer, Office, Exchange Server, and .NET Core.
Of the 49 patches this month, 18 were classified with a "critical" severity marking. The zero-day received an "important" classification because it didn't leak to direct compromise.
More information is also available on Microsoft's official Security Update Guide portal, available here, which also includes interactive filtering options so users can find the updates and patches for only the products that are of interest.
Adobe has, too, released security updates today, but just like in October 2017, this month, the company did not patch any Flash vulnerabilities.
Article updated on October 10 with link to Kaspersky technical report on the zero-day's capabilities.
- Microsoft patches recent ALPC zero-day in September 2018 Patch Tuesday updates
- Google restricts which Android apps can request Call Log and SMS permissions
- Google sets new rules for third-party apps to access Gmail data
- US government rolls out 2-step verification for .gov domain owners
- DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack story
- Ukraine fears a coordinated hacking attack from Russia (CNET)
- Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.