Security admins are in for another busy start to the month as Microsoft’s Patch Tuesday update round yielded 13 bulletins, six of which are rated “critical” remote code execution issues.
They include MS16-022, which is the first time Microsoft has given Adobe Flash Player embedded in IE and Edge its own bulletin.
“Previously, Microsoft updated the same KB on a month by month basis with no defining elements. This is a welcome change and hopefully it bodes well for other areas where Microsoft continues to do this,” argued Tripwire software development manager, Tyler Reguly.
That bulletin fixes 22 critical remote code execution vulnerabilities in the much maligned Adobe software.
“Attack scenarios vary from compromised, but otherwise innocent websites (look at some of the recent WordPress issues for example) that link to malicious attacker controlled domains to Flash embedded in other files such as Office documents, which targets access through e-mail,” wrote Qualys CTO Wolfgang Kandek.
“In addition attackers have shown last year that they invest into Flash based attacks, so this bulletin is on our top spot.”
MS16-015 probably comes next, fixing seven flaws in Word, Excel and Sharepoint, and the ubiquitous Internet Explorer-related bulletin is also there in MS16-009, updating 13 CVEs.
It’s notable that the critical Edge browser update, MS16-011, addresses six CVEs. However, all but two are shared with IE.
The remaining critical bulletins relate to Microsoft Journal (MS16-013) and PDF Reader (MS16-012).
"Also noteworthy this month is the Windows 10 upgrade message for Win 7 and Win 8.1 users moved from ‘Optional’ to ‘Recommended.’ For users who have chosen the ‘Give me recommended updates the same way I receive important updates’ setting, this will initiate the automatic update process to Win10,” explained HEAT senior product management director, Russ Ernst.
“For the organizations that use Windows Update, this is a big deal and you may now see your Win7 and 8.1 machines automatically updating.”
Finally, Shavlik product manager, Chris Goettl, pointed out that just two of the flaws resolved in this update round have been publicly disclosed – CVE-2016-0040 and CVE-2016-0039.
Image credit: StockStudio / Shutterstock.com