Microsoft and Adobe warn of separate zero-day vulnerabilities under attack

Share this…

Exploits exist for both bugs and allow for remote code execution. Windows users woke up to something that doesn’t happen every day: the disclosure of two zero-day vulnerabilities, one in the Microsoft operating system and the other in Adobe’s Flash Player.

The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.


Separately, Adobe officials warned that a newly discovered Flash vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild. Adobe said it planned to release an update as soon as Thursday.

On Tuesday, FireEye published a blog post headlined Threat actor leverages windows zero-day exploit in payment card data attacks, that described how attackers managed to infect more than 100 organization in North America using a zero-day vulnerability. The bug, however, was CVE-2016-0167, a privilege escalation flaw that Microsoft fixed in last month’s Patch Tuesday.

As if the in-the-wild attacks reported by Symantec weren’t enough reason for Windows users to install this month’s patch release, the updates contain fixes for several other remote code-execution vulnerabilities that represent a threat. The existence of a currently unpatched Flash vulnerability is yet another reason users of all computer platforms should strongly consider uninstalling the media player.