Every month Microsoft publishes a large number of fixes, improvements and patches for its software, on a day known as Patch Tuesday. As part of that, Microsoft released Windows 10 build 14393.321 via a cumulative update last night. We’ve already seen the numerous features and improvements that are part of the package, but here’s whats new in terms of security.
On Tuesday, Microsoft released 10 patches for its Windows operating systems, Office suite and other important pieces of software. Out of those, five were deemed to be critical, and at least two exploits were already being used in the wild. Here they are:
MS16-118 addresses vulnerabilities in different versions of Internet Explorer. These could allow for remote code execution and escalation of privileges if the user viewed a maliciously crafted webpage. One of the vulnerabilities fixed herein allowed for an attacker to verify the presence of a specific file on the system thanks to an information disclosure flaw. This was being exploited in the wild.
MS16-119 fixed similar flaws for the Edge browser, where a vulnerability could allow for escalation of privileges and remote code execution. The update hits on a number of different levels, changing how Edge and its Javascript engine handle objects in memory, restricting what information Edge can call on, changing how the browser stores credentials and so on.
MS16-120 is another critical flaw, related to the Microsoft Graphics Component. This affected all versions of Windows, Office 2007 and 2010, Skype for Business 2016, Silverlight and Lync 2013 and 2010, as well as .NET. If a user visited a malicious website it could trigger remote code execution. The flaw could also be exploited by opening a specially-designed file. Some of the vulnerabilities patched here were already being exploited in the wild.
MS16-122 fixes a critical security flaw in Microsoft Windows, related to Microsoft Video Control. Because of the way the system handled objects in memory an attacker could run arbitrary code on a target machine. The flaw could be exploited if the current user was tricked into opening a malicious file or website.
MS16-127 is the last patch deemed critical in yesterday’s batch, and it comes with all the bugfixes that Adobe has released for Flash. It fixes vulnerabilities in the Flash player for all supported version of Windows and IE 10, IE 11 as well as Microsoft Edge. The patch contains fixes for no fewer than 12 reported vulneraries that allowed for remote code execution.
On top of these fixes, Microsoft released a number of other patches deemed to be “Important” or of “Moderate” severity, which fix security flaws in the Windows Kernel drivers, Microsoft Office, Windows Registry and a few other system components.
The cumulative update containing all of these patches is currently rolling out to all users, and as usual, we recommend installing it as soon as possible. Here’s hoping there won’t be any issues with it this month.
Source: TechNet