Microsoft and Zero-Day Flaws

On September 13th, Microsoft was forced to fix seven critical security flaws that could be remotely exploited. These updates went out to the latest versions of Microsoft Windows, Office, and Explorer. However, if you use the older versions of these products, you will not see any security updates. Those using older versions of the software are dramatically at risk for exploitation of their systems.

Furthermore, another one of these flaws being fixed is a zero-day vulnerability that has been exploited for over two years. This specific vulnerability exists in the IE and Edge browsers, in which malvertising groups such as AdGholas and GooNky have been exploiting. This flaw was brought to attention by a French security researcher in 2015 by the name of Kafeine, who alerted Microsoft to the situation. The interesting scenario is that these malvertising groups have been exploiting these non-critical bugs and low-level vulnerabilities for over two years, serving malvertising to up to five million users per day.

These groups have apparently been staying off the radar by hiding their attack code in plain sight, such as inside an image file, by using a practice called steganography.

To nobody’s surprise, more Adobe flaws have been found. On September 13th, Adobe released more security updates to fix flaws found in Adobe Flash, AIR, and Adobe Digital Editions, an e-book viewer. The number of critical flaws in Flash that have been discovered and fixed in the recent years is staggering, which leads many companies to abandon Flash support in their browsers. The vulnerabilities fixed on the 13th patched code that could potentially allow an attacker to gain control of a system. Many companies are recommending that you uninstall flash, and use a browser, like Chrome, which does not support Adobe Flash.


Author: Tim Zabel, Rochester Institute of Technology