Want CNET to notify you of price drops and the latest stories?

Microsoft's Patch Tuesday fixes trio of 'zero-day' flaws

Monthly security update addresses two dozen vulnerabilities, including one being exploited as part of the "Sandworm" cyberattack.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read


Microsoft issued eight security bulletins on Tuesday that address two dozen vulnerabilities, including a bug reportedly being exploited by Russian hackers to target NATO computers.

Issued as part of its October edition of Patch Tuesday, the updates address vulnerabilities found in all currently supported versions of Windows, Internet Explorer, Office and the .Net framework. Three of the bulletins are rated critical, meaning Microsoft recommends systems administrators apply the patches immediately.

Security researcher FireEye said it identified two of three so-called zero-day bugs -- flaws that are being actively exploited in the wild by hackers -- being used as "part of limited, targeted attacks against some major corporations."

One of the patches addresses a remote code execution flaw in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 that is being "="" cyberattack"="" shortcode="link" asset-type="article" uuid="7b0c8df8-e610-4181-bbf7-4696a27423fe" slug="russian-hackers-tap-windows-flaw-to-hit-nato-ukraine" link-text="exploited in the " section="news" title="Russian hackers tap Windows flaw to hit NATO, Ukraine" edition="us" data-key="link_bulk_key" api="{"id":"7b0c8df8-e610-4181-bbf7-4696a27423fe","slug":"russian-hackers-tap-windows-flaw-to-hit-nato-ukraine","contentType":null,"edition":"us","topic":{"slug":"security"},"metaData":{"typeTitle":null,"hubTopicPathString":"Security","reviewType":null},"section":"news"}"> . The exploit has been used as part of a five-year cyberespionage campaign, according to security iSight, but it is unknown what kind of data has been lifted throughout the Sandworm campaign.

iSight said that a team of hackers previously launched campaigns targeting the US and EU intelligence communities, military establishments, news organizations and defense contractors -- as well as jihadists and rebels in Chechnya. However, focus has turned toward the Ukrainian conflict with Russia, energy industries and political issues concerning Russia based on evidence gleaned from phishing emails.

Microsoft rated the flaw as important rather than critical because it requires a user to open a Microsoft Office file to initiate the code execution.

"A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object," Microsoft warned in its bulletin. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user." (OLE is Microsoft technology for creating complex documents that contain a combination of text, sound, video and other elements.)

Another zero-day flaw addressed by the update is a privilege escalation vulnerability that "could lead to full access to the affected system," Microsoft said in its bulletin.

A third zero-day bug in Windows rated as critical and patched Tuesday could allow remote code execution when a victim visits opens a document or visits a malicious website that contains embedded TrueType fonts.