Microsoft has released a swathe of updates addressing vulnerabilities in Windows, Office, the .NET framework, and its Edge and IE Internet browsers. In total 10 security bulletins were released this patch Tuesday to address Microsoft vulnerabilities, with a further bulletin to address vulnerabilities in Adobe Flash Player.
More than half of the security bulletins address critical security vulnerabilities, most of which could be exploited allowing remote code execution. The remaining bulletins are rated as important.
The bulletins dealing with vulnerabilities in Microsoft Edge and Internet Explorer could be exploited if a user visits specially crafted webpages. If the vulnerabilities are not patched they could be used to gain full control of a computer, install programs, or gain the same privileges as the current user.
The vulnerability in Adobe Flash Player could allow remote code execution. Adobe has released its own patch, although the Microsoft bulletin addresses the vulnerability in Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10, which come bundled with Flash Player.
Two of the security updates address flaws in Windows scripting engines, while one addresses a vulnerability in the Print Spooler service. The scripting engine vulnerabilities affect Jscript and VBScript and have been combined in MS16-086. These vulnerabilities could be used to either gain the same privileges as the current user or could even allow an attacker to take full control of the computer. Both affect Windows Vista and Windows Server 2008.
The Print Spooler Service vulnerability – addressed with MS16-087 – could be exploited using a man-in-the-middle attack on either a workstation or a print server. An attacker could also set up a rogue print server on a target network. If the latter occurred, code could be executed with system level privileges.
Microsoft Security Bulletin MS16-088 addresses a critical flaw in Microsoft Office that could be exploited by an attacker by sending a specially crafted office file to an end user via email. This vulnerability could be used by an attacker to run arbitrary code in the context of the current user.
Security Bulletin MS16-094 is rated as important, although potentially very serious. If an attacker was able to exploit this vulnerability it would be possible to bypass Secure Boot, potentially allowing an attacker to install rootkits after installing a policy on the targeted system. However, to do this an attacker would have to have administrator privileges or physical access to the device.
While all of the updates should be installed, it is important to prioritize installation and address the critical vulnerabilities first.