Microsoft Patches Windows Zero-Day Exploited by 'FruityArmor' Group
10.10.2018 securityweek
Vulnerebility

Microsoft's Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.

The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.

According to Microsoft, the vulnerability has been actively exploited against older versions of Windows, but exploitation may also be possible on the latest versions of the operating system.

The flaw was reported to Microsoft by Kaspersky Lab, whose experts noticed the attacks exploiting CVE-2018-8453. Kaspersky will publish a detailed technical report on Wednesday, but the company told SecurityWeek that the vulnerability has been exploited by the FruityArmor group in a highly targeted campaign.

Interestingly, Microsoft's Patch Tuesday updates for October 2016 also addressed a Windows zero-day exploited by FruityArmor. That attack was also first observed by Kaspersky Lab.

Microsoft's latest updates also fix three vulnerabilities that were publicly disclosed before patches were made available, including a JET Database Engine issue for which an unofficial patch was released by 0patch.

The other disclosed flaws are a privilege escalation bug affecting the Windows kernel, and a remote code execution weakness impacting Azure IoT.

A dozen of the vulnerabilities addressed this month are critical. They impact Internet Explorer, Edge, Hyper-V, and XML Core Services.

One of the patches addresses CVE-2010-2190. This vulnerability was first resolved in 2010, but Exchange Server was not identified as one of the affected products at the time.

"This vulnerability affects all installations of Exchange Server. If you are running any version of Exchange server released prior to Exchange Server 2016 Cumulative Update 11 (as of this publishing, Cumulative Update 10 is the most recent cumulative update for Exchange 2016), the Visual Studio 2010 updates in MS11-025 should be applied to your Exchange Server," Microsoft explained in its advisory.

The remaining vulnerabilities have been classified as "important" – and a couple as "moderate" and "low" – and they impact Windows, SharePoint, Office, Edge, and SQL Server Management Studio.

"There was a total of 49 CVEs addressed across the portfolio," commented Chris Goettl, director of product management and security for Ivanti. "As expected, the majority, 33 were fixed in Windows 10, Edge, and the associated Server versions. Also, please note that there was an update for Server 2019 which was made generally available last week. Microsoft continued the trend from last month where they introduced both a monthly rollup and a security-only release for Server 2008. Prior to that there was only a single security update. Updates were released for all supported versions of Exchange Server and Sharepoint Server this month as well."