The most important fix is the prevention of elevation of privilege if an attacker logs on to an affected system. In order to do so, the attacker would be able to trick the user by running a malicious program or a “specially crafted application“, as Microsoft calls it.
That means running programs, deleting various data and creating user accounts with full user rights. The whole process could exploit the vulnerabilities and take complete control of an affected system.
The patch is a part of a regular monthly round of security patches known as Patch Tuesday. The patch has an “Important” rating for all supported releases of Windows and is only available via Windows Update.
This is related to a recent incident where a Russian group called STRONTIUM performed a low-volume spear-phishing attack to exploit vulnerabilities. The attack used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
As promised, Microsoft has issued a fix for all of the affected version of Windows. It’s important to note that users running the Windows 10 Anniversary Update were initially protected from the attacks.
Google’s public disclosure
Google’s Threat Analysis Group first spotted the attack and published the details of the flaw before the patch. Google breached the standard three-month private disclosure period, citing there was evidence hackers were actively exploiting the flaw.
Google’s handling of the situation angered Microsoft, saying its decision “puts customers at increased risk”. However, Microsoft resolved the brief situation by acknowledging Google researchers responsible for finding the flaw.
Microsoft also issued a fix for six critical flaws, including the one that affected all versions of Windows. The most severe vulnerability could allow remote code execution if an attacker with local authentication runs a specially crafted application.
The update addresses this vulnerability in two ways – by correcting how the Windows Input Method Editor (IME) loads DLLs and requiring hardened UNC paths be used in scheduled tasks.
Also issued are eight other important updates, including cumulative updates for Internet Explorer and Edge browsers.