Microsoft has issued ten bulletins this Patch Tuesday, which fix five new zero days and five critical vulnerabilities. In contrast to previous Patch Tuesdays, older Microsoft operating systems are now being updated using Microsoft’s new patching policy of bundling patches together. Administrators must therefore decide whether to apply all of the patches or none since it is no longer possible to select which updates to install.
This could potentially create problems for administrators. Updates may need to be applied when there is a known compatibility issue with one or more elements. Otherwise the update will need to be avoided which will leave systems vulnerable. Then there is the issue of the size of the updates. When a large number of issues are addressed on Patch Tuesday, downloading the updates could take up a considerable amount of system resources. Understandably, the decision to switch to the Windows 10 model of OS updates has not been welcomed by many IT professionals.
Microsoft has reported that the critical vulnerabilities addressed in the latest bulletins could result in remote code execution if the updates are not applied. Updates are strongly recommended because of the zero day vulnerabilities that have been addressed. Microsoft recommends running the updates as soon as possible to keep systems secure as each of the five zero-days are currently being exploited in the wild.
The critical Patch Tuesday updates are MS16-118 for Internet Explorer, MS16-119 for Microsoft Edge, MS16-120 for Microsoft Graphics Component, MS16-122 for Microsoft Video Control, and MS16-127 for Adobe Flash Player.
Four updates have been rated important: MS-121 for Microsoft Office, MS16-123 for Windows Kernel-Mode Drivers, MS16-124 for Windows Registry, and MS16-125 for Diagnostics Hub. One update has been marked as moderate: MS16-126 for the Microsoft Internet Messaging API.
The critical updates address the zero-days CVE-2016-3298 (MS16-118) – A Microsoft browser information disclosure vulnerability; CVE-2016-7189 (MS16-119) a scripting engine remote code execution vulnerability; CVE-2016-3393 (MS16-120) a Windows graphics component RCE vulnerability; CVE-2016-7193 (MS16-121) a Microsoft Office memory corruption vulnerability; and CVE-2016-3298 (MS16-126) an Internet Explorer information disclosure vulnerability.