Microsoft has patched an actively attacked vulnerability in Internet Explorer and 73 other vulnerabilities during yesterday’s Patch Tuesday of February. The zero-day vulnerability in Internet Explorer was discovered by Google and allowed attackers to test for the presence of specific files on disk.
To become a victim of the attack, a user only had to visit a malicious website. While Microsoft reports the issue is actively attacked, it’s unknown where the attack took place, how it was discovered and what kind of files attackers were looking for. These kinds of “information disclosure” vulnerabilities have been abused in the past to collect all kinds of data on attacked systems. It e.g. allows attacker to check for specific security software or to check whether the system is part of a virtual machine or automated system used by security researchers.
Microsoft also patched four vulnerabilities this month of which details were already disclosed before the company released patches for them. According to Microsoft, none of the vulnerabilities have been targeted in an attack.
From those four, the first is an information disclosure attack in Windows which allows an attacker to read the contents of files on a computer. The second vulnerability was in Exchange Server and allowed an attacker to gain the same privileges as other users. This way the attacker could access the mailbox of other users and read their emails.
The other two vulnerabilities were in Microsoft’s Team Foundation server and allowed an attacker to read content for which he was not authorized, to execute malicious code and to perform all kinds of actions in name of other users, such as changing and deleting content.
Microsoft further patched vulnerabilities in Internet Explorer, Edge, Windows, Office ChakraCore .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Microsoft Dynamics, Team Foundation Server and Visual Studio Code.
On most computers the patches are automatically downloaded and installed.