Microsoft releases one of its biggest security updates this year

Half of the 14 security bulletins released Tuesday cover critical vulnerabilities

Microsoft released one of its biggest security updates this year, fixing 50 vulnerabilities in its products and 26 more in Flash Player, which is bundled with its Edge browser.

The patches are split into 14 security bulletins, including the one dedicated to Flash Player, seven of which are rated critical. They address vulnerabilities in Windows, Internet Explorer, Microsoft Edge, Microsoft Exchange, Microsoft Office and Microsoft Office web services and apps.

For desktop deployments, administrators should prioritize the fixes for Internet Explorer, which are covered in the MS16-104 bulletin, Microsoft Edge (MS16-105), Microsoft Office (MS16-107), Microsoft Graphics Component (MS16-106), OLE Automation for VBScript Scripting Engine (MS16-116) and Adobe Flash Player (MS16-117).

That's because these vulnerabilities can be exploited to achieve remote code execution by tricking users to visit compromised websites or to open specifically crafted files. These are two of the most common infection vectors used in malware attacks.

One of the Internet Explorer and Edge vulnerabilities, CVE-2016-3351, could be used for information disclosure in an exploit chain.

Microsoft notes in its advisory that although this vulnerability has not been publicly disclosed, it has been exploited. The company did not, however, provide more information about the attacks leveraging it.

The security update for Silverlight (MS16-109) should also be prioritized even if though it's rated as important, rather than critical. The patched vulnerability could also lead to remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application.

On the server side, administrators should focus on the update for Microsoft Exchange (MS16-108), which patches critical vulnerabilities in the Oracle Outside In Technology (OIT).

This is a collection of software development kits (SDKs) that can be used to extract, normalize, scrub, convert and view unstructured file formats.

Researchers from Cisco's Talos team found and reported vulnerabilities in Oracle OIT earlier this year, warning that they affect products from many vendors, including Microsoft Exchange. Oracle released patches for these flaws in July and Microsoft has now imported those fixes.

The Oracle OIT vulnerabilities can be exploited to achieve remote code execution by simply sending an email with a specially crafted attachment to a vulnerable Exchange server.

The Office update should also be on server administrators' radar, because it applies to Microsoft SharePoint Server 2007, 2010 and 2013 and the flaws it covers could allow attackers to take complete control of such servers by using the Word and Excel automation service, said Amol Sarwate, the director of vulnerability labs at Qualys in a blog post.

Server admins should also look at the update for Microsoft Graphics Component (MS16-106), which affects Windows servers, and at MS16-110 "which applies to Server 2008 and 2012 and allows attackers with domain user account to could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions," Sarwate said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?