Microsoft closes leak in Windows discovered by Google
Microsoft has released a patch for a Windows vulnerability that Google published last week. Malicious persons could obtain a private escalation through that leak. The vulnerability is actively exploited through spearphishing attacks.
The patch’s security bulletin is labeled MS16-135, and the update addresses a vulnerability in nearly all supported versions of Windows, starting with Vista. Only users of Windows 10 Anniversary Update in combination with a browser that has been updated to the latest version are not vulnerable.
In its security bulletin, Microsoft states that the update addresses multiple vulnerabilities for increasing privileges. The privilege escalation was possible because of errors in the way the kernel was accessing memory addresses. An attacker was able to circumvent the address space layout randomization with an exploit. To exploit this, the attacker would have to trick a logged-in user into installing a specially crafted application.
Google revealed the vulnerability last week, along with another component that could be used in an attack, related to a vulnerability in Adobe’s Flash. Microsoft criticized Google for the short period between discovery and publishing: Microsoft was given ten days to release a patch. According to Microsoft, the zero-day was actively abused, albeit on a small scale, by a Russian group that was also responsible for politically oriented attacks in the US.