Yesterday Microsoft released some 14 patch bundles to correct at least 50 flaws in various Windows and associated software systems, including a zero-day bug in Internet Explorer.
About half of the updates released by Microsoft Tuesday earned the company’s most dire “critical” rating, meaning they could be exploited by malware or miscreants to install malicious software with no help from the user, save for maybe just visiting a hacked or booby-trapped Web site. Security firms Qualys and Shavlik have more granular writeups on the Microsoft patches.
Desktop
On the desktop side top priority goes to Browsers and Microsoft Office. This includes Cumulative Security Update for Internet Explorer (MS16-104) which affects IE 9 to 11 and Cumulative Security Update for Microsoft Edge (MS16-105) which only affects Windows 10 platforms. An attacker can entice users to click malicious links using affected browsers and if left unpatched can allow attackers to take complete control of the victim machine. The security update for Microsoft Office (MS16-107) also falls in this category and will allow attackers complete control of victim machine using the click-to-run component and due to the way Office objects are handled in memory. MS16-106 affects Windows vista, Windows 7, 8.1 and 10 and could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.
Next priority goes to Silverlight bulletin (MS16-109). The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. MS16-116 affects the VBScript Scripting Engine and allows remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website.
Server
Exchange Server administrators should focus on MS16-108 which could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server. If left unpatched attackers can take complete control of the server.
Microsoft Office (MS16-107) affects the Microsoft SharePoint Server 2007, 2010 and 2013 and can allow attacks to take complete control of the server using the Word and Excel automation service on the SharePoint Server.
MS16-106 affects Windows server 2008 and 2012 along with their R2 counterparts and allows attackers to take complete control of the server system. Server administrators should also look at MS16-110 which applies to Server 2008 and 2012 and allows attackers with domain user account to could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.
Overall it’s a large update from Microsoft with fixes for both desktop and server components.
We recommend that you run your windows update as soon as practical – update windows today if possible.