Microsoft Patch Tuesday saw 47 security vulnerabilities addressed in Windows, Office, Office Service and Web Apps, MS Exchange, Adobe Flash Player, and Internet Explorer and Edge. The updates are split across 14 security bulletins.
7 of the security bulletins address critical vulnerabilities, while the remaining 7 are rated as important. Microsoft has warned that the failure to install the updates would leave systems vulnerable to remote code execution attacks.
The critical security bulletins are:
MS16-104: Cumulative Security Update for Internet Explorer (3183038)
MS16-105: Cumulative Security Update for Microsoft Edge (3183043)
These bulletins address vulnerabilities that could be exploited if the user visits a specially crafted webpage using the IE or Edge browsers. The vulnerabilities allow remote code execution.
If the user has administrative rights, an attacker could take full control of the system and install programs or view, corrupt, or delete data. It would also be possible for new accounts to be created with administrative user rights. One of the vulnerabilities – CVE-2016-3351 – is currently being exploited in the wild, although it has not been made publicly available.
MS16-106: Security Update for Microsoft Graphics Component (3185848)
This bulletin addresses one critical vulnerability in Windows 10 Version 1607. For all other versions it is rated as important. This vulnerability could be exploited by visiting a malicious website or by opening a malicious email attachment. The update corrects how the kernel-mode driver handles memory objects.
MS16-107: Security Update for Microsoft Office (3185852)
Microsoft has addressed vulnerabilities that could allow an attacker to run arbitrary code in the context of the current user. The vulnerability could be exploited if the user opens a specially crafted MS Office file. The update addresses how MS Office saves documents, how click-to-run components handle memory addresses, how Office components handle objects in the memory, and how Outlook determines the end of MIME messages.
MS16-108: Security Update for Microsoft Exchange Server (3185883)
The Microsoft Exchange Server vulnerabilities could allow remote code execution in Oracle Outside In libraries that are built into Exchange Server. The vulnerabilities could be exploited by opening a specially crafted email attachment, such as a meeting request or a malicious MS Office document. The vulnerabilities exist in MS Exchange 2007, 2010, 2013, and 2016.
MS16-116: Security Update in OLE Automation for VBScript Scripting Engine (3188724)
Vulnerabilities have been addressed that would allow an attacker to remotely execute code if the user visits a malicious website. The update addresses all supported releases of Windows and is marked as critical for all of those releases. To protect against the vulnerabilities addressed in this bulletin it is also necessary for update MS16-104 to also be run. MS16-116 corrects how the Microsoft OLE Automation mechanism and VBScript Scripting Engine in Internet Explorer handle objects in the memory.
MS16-117: Security Update for Adobe Flash Player (3188128)
This update mirrors the one issued by Adobe on Tuesday and addresses vulnerabilities in Adobe Flash Player for Windows 8.1, Windows Server 2012 and 2012 R2, Windows RT 8.1 and Windows 10.
The following security bulletins have also been released. These been rated as important.
- MS16-109: Security Update for Silverlight (3182373)
- MS16-110: Security Update for Windows (3178467)
- MS16-111: Security Update for Windows Kernel (3186973)
- MS16-112: Security Update for Windows Lock Screen (3178469)
- MS16-113: Security Update for Windows Secure Kernel Mode (3185876)
- MS16-114: Security Update for SMBv1 Server (3185879)
- MS16-115: Security Update for Microsoft Windows PDF Library (3188733)
System administrators are advised to priorities the updates. Bulletins addressing critical flaws should be applied first.