Microsoft has sent out a substantial update patch that focuses on squashing bugs and fixing issues. Indeed, the company has fixed 94 holes in its security update for September. Dozens of remote code execution flaws have been solved with this roll out. Microsoft has also the company has finally solved a long-standing issue with Internet Explorer.
Released on Tuesday, the update patches a critical information disclosure bug in IE. This problem has been a bug known about for a long time. Microsoft has known about it since last year and has not acted on it yet. Why Microsoft took so long is maybe because the company did not think it was a major problem.
Security firms TrendMicro and Proofpoint reminded Microsoft about the issue for the second time. Those two companies also provided proof that this exploit is critical. This showed that the problem is being exploited by criminals.
The Internet Explorer bug in question is labelled as CVE-2016-3351 and has been used by cybercriminals. Attackers have been able to use online ad networks and target them with malicious content containing ransomware. There is evidence of this bug being exploited since as far back as January 2014. That's nearly three years.
Hard to Detect
Kafeine, a security company that first warned Microsoft, says the exploit can avoid security researcher tools. This makes it effective as it is hard to track through traditional detection and analyzing methods.
Microsoft acknowledges this, but the company says users must still choose to click the link to an attack site for their PC to be infected.
“In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation,” Kafeine wrote.