Latest Windows patches fix two actively exploited zero-day security holes

Windows 10
Image credit: Microsoft

Microsoft’s latest round of security patches contains a huge range of fixes for 74 vulnerabilities, and includes the resolution of a pair of zero-day flaws in Windows 10 which are currently being actively exploited.

That pair of worrying security holes (codenamed CVE-2019-0803 and CVE-2019-0859) are elevation of privilege vulnerabilities that pertain to Windows 7, 8, and 10, meaning that an attacker can potentially use them to do all sorts of nasty things to a victim’s PC.

As ZDNet reports, the problem revolves around the Win32k component improperly handling objects in memory, and when leveraged, this could allow a malicious party to view or delete data on the computer, or indeed install programs (such as malware) or create a new account with full user privileges.

That said, Microsoft also observes: “To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

Targeted malware

In other words, the attacker does need access to the PC in the first place, although that could potentially be gained by a targeted malware attack. Given that antivirus maker Kaspersky discovered CVE-2019-0859, it seems a fair assumption that malware-watching is how it was spotted, and indeed Kaspersky has found a number of zero-day vulnerabilities in recent times which have seemingly been concocted by nation-state hacking organizations.

For example, in March, Kaspersky uncovered CVE-2019-0797, which the company noted was the fourth privilege escalation exploit recently detected by its systems. The security firm observed at the time that there were several known targeted attacks that made use of this exploit, which was patched by Microsoft in the same month of its discovery (and again, this one allowed the attacker to gain control over the PC).

Kaspersky also underlined that folks shouldn’t hang around when installing security updates such as these which are being actively exploited (it’s not uncommon to wait and see whether early adopters run into issues with security patches, or indeed any update, after all).

Other holes which are patched up in the bundle of 74 fixes include a trio of Microsoft Office Access Connectivity bugs – and a number of other Office flaws – along with a security update for Adobe Flash Player (surprise, surprise), as well as Microsoft’s Edge browser.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in Computing Security
The X logo next to a silhouette of Elon Musk
Who was really behind the massive X cyberattack? Here’s what experts say about Elon Musk’s claims
A person holding a phone looking at a scam text with warning signs around
A massive SMS toll fee scam is sweeping the US – here’s how to stay safe, according to the FBI
View on National Assembly building in Paris, France, with French and European flags flying.
France rejects controversial encryption backdoor provision
ensure data security for your business
The complete data protection system for your business
ignal messaging application President Meredith Whittaker poses for a photograph before an interview at the Europe's largest tech conference, the Web Summit, in Lisbon on November 4, 2022.
"We will not walk back" – Signal would rather leave the UK and Sweden than remove encryption protections
Man uses a laptop in a hotel room
4 ways to avoid misinformation on social media and retain control of your newsfeed
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over