Microsoft Patch Tuesday to fix flaw exploited in ransomware malvertising campaign

Flaw uncovered in April. Microsoft fixes it in October

Microsoft's October Patch Tuesday will fix a "critical" security flaw that has been exploited in a malvertising campaign used to propagate ransomware for almost a year.

It is one of the fixes for a total of 45 flaws across 10 bulletins that are intended to patch five zero-day vulnerabilities.

The most important patch should fix a flaw being exploited by the AdGholas malvertising campaign, six months after security software company Proofpoint and researcher Kafeine detected and reported the flaw.

Proofpoint claimed that although the firm - along with Kafeine - identified the vulnerability in April, it had probably already been exploited for several months by AdGholas to propagate ransomware by slipping in the exploits via ads inserted into widely used advertising networks.

"Threat actors are increasingly turning to software vulnerabilities that don't just let them install malware onto a system through drive-by downloads, but let them hide their actions from researchers," said Kevin Epstein, vice president of the threat operations centre at Proofpoint.

Exploit kit activity has dropped off since 2015, he added, but the activity that is still going on is increasingly sophisticated, "using advanced filtering to pull in users most likely to be infected and provide the best return on investment for threat actors".

The fixes are being sent to users' PCs rolled up into one download, which means that many end users will be unable to pick and choose, while systems administrators will have the headache of managing multi-terabytes of data suddenly hitting the network at the same time.

The Microsoft Security Bulletin Summary for October 2016 lists the key fixes as follows:

• MS16-118 - a cumulative update for IE. This addresses 11 vulnerabilities, including remote code execution flaws, information disclosure vulnerabilities and two elevation of privilege.
• MS16-119 - a cumulative security update for Microsoft Edge that fixes 13 vulnerabilities in Microsoft's latest browser.
• MS16-120 - a security update for the Microsoft Graphics Component that should resolve vulnerabilities in a series of Microsoft applications, including Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync and Silverlight.
• MS16-122 - another patch to resolve remote code execution flaws, this time in Microsoft Video Control.
• MS16-127 - a security update for Adobe Flash Player that resolves a remote code execution flaw.

Karl Sigler, threat intelligence manager at Trustwave, described the hit list as "the usual suspects, namely Internet Explorer, Edge, Graphics Component, Adobe Flash and the Microsoft Office suite".

He also highlighted a rare 'Moderate'-rated threat (MS16-126) that would enable attackers to test for the presence of files on a file system to make sure that a PC isn't running anything that might detect their malware before conducting an all-out assault.