To make sure nobody is left behind Microsoft has released a total of 14 security bulletins as part of this month’s Patch Tuesday cycle, with six of them considered to be critical and targeting all Windows versions on the market.
First and foremost, we have MS16-129, which is a cumulative security update for Microsoft Edge patching a Remote Code Execution (RCE) flaw that would allow an attacker to gain the same privileges as the logged-in user when a malicious website is loaded.
Then, it’s MS16-130, a security update for Microsoft Windows, which also patches RCE flaws that “could allow remote code execution if a locally authenticated attacker runs a specially crafted application.” MS16-131 is a critical patch that resolves vulnerabilities in the operating system that can be exploited with arbitrary code targeting Microsoft Video Control.
MS16-132 is a security update for Microsoft Graphics Component fixing vulnerabilities that can be exploited when a malicious webpage is loaded, causing the Windows Animation Manager to improperly handle objects in memory. A successful attack allows hackers to install programs, view and delete data, or even create new accounts with administrator rights.
Last but not least, there’s MS16-141 (security update for Adobe Flash Player) and MS16-142 for Internet Explorer, with the latter targeting all supported versions of the browser at the moment.
The Google-disclosed security flaw
In case you’re looking for the patch aimed at the Google-disclosed Windows vulnerability, this is MS16-135 and is only flagged as important, which is a little bit unexpected given the fact that exploits have already been spotted in the wild.
“This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system,” Microsoft says.
All patches are available right now via Windows Update, and critical ones should obviously be prioritized, but IT admins should keep in mind that system reboots are required, and work needs to be saved. We’re not aware of any botched updates at the time of writing this article, but we’ll continue monitoring the forums and let you know should anything be reported.