14 DAY TRIAL // Microsoft has started this month’s Patch Tuesday update cycle to fix vulnerabilities in its software, and this time, the highlights are Windows, Edge browser, Internet Explorer, and the Office productivity suite.
There are 13 different security bulletins this month, one of which is the Flash Player patch that was released a few days ago and that Microsoft included in its rollout to fix vulnerabilities in Internet Explorer and Edge (both browsers come with Flash pre-installed, so in order to patch flaws, Microsoft has to deliver fixes through Windows Update).
Out of the 12 remaining updates, there are 6 critical updates fixing flaws in Windows, Internet Explorer, Office, and Edge browser. The rollout is targeting remote code execution flaws and escalation of privilege and includes updates that require a restart, so IT admins should have this in mind when starting deployment.
Windows users, prioritize this update!
For Windows users, the most important update that needs to be installed ASAP is MS16-039, which comes to address flaws related to a graphics component in the operating system. Absolutely all versions of Windows are affected, starting with Vista and ending with 10, as well as Office 2007 and 2010, .NET, Skype, and Lync.
“The two 0-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator. In real life they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw,” Wolfgang Kandek, CTO of Qualys, explains.
“In that type of scenario, your user would go to a normal website and get attacked with a Flash exploit that then escalates with the CVE-2016-0165/7 vulnerabilities from MS16-039.”
Outlook, IE, and Edge patches
MS16-042 is also a critical patch for those using Outlook and is supposed to fix a flaw found in the Office productivity suite that could allow attackers to get the same privileges as the logged-in user with a compromised RTF document loaded in the email client. Avoid opening RTF files coming from suspicious sources until you patch.
Internet Explorer and Edge browser users are getting their own share of updates in the form of MS16-037 and MS16-038, respectively. Kandek says that, although each browser appears to have six vulnerabilities that are patched with these updates, none is under attack right now.
And last but not least, there’s MS16-040, an update that includes a new version of msxml.dll to address a vulnerability in the XML Core subsystem. In order to exploit the flaw, an attacker needs to get users to a website holding a compromised XML file, so make sure you avoid clicking links that look dangerous until you install this update.
All these updates are delivered through Windows Update, and up to this point, we’re not aware of any issues that might be experienced during the install process or after that. We’ll keep an eye out for such reports and will let you know with an update here should any problems be discovered.