Light Patch Load for first Microsoft Update Round of 2016

The first Patch Tuesday of the year yesterday appears to be pretty mild at first sight but contains six critical bulletins affecting a broad range of products and platforms.

Over 20 vulnerabilities are covered across nine bulletins, six of which are critical fixes for remote code execution vulnerabilities.

MS16-005 is pegged by many as the most important, given that it addresses an RCE flaw (CVE-2016-0009) which has already been publicly disclosed and will affect Vista, Windows 7 or Server 2008 user in particular.

“Our second priority is MS16-004. It addresses six vulnerabilities in Microsoft Office, all capable of giving the attacker Remote Code Execution (RCE) capabilities,” explained Qualys CTO, Wolfgang Kandek.

“Microsoft rates the bulletin as ‘critical’ which is unusual for an Office bulletin. CVE-2016-0010 is the vulnerability that is rated critical and it is present in all versions of Office from 2007 to 2016, even on the Mac and RT.”

Next are critical bulletins for Internet Explorer (MS16-001) and Edge (MS16-002), addressing only two flaws, but ones which could allow attackers to remotely control a victim machine by exploiting a browser through a specially crafted web page.

MS16-006 addresses a vulnerability in Silverlight.

The update round was also notable for Microsoft’s long awaited decision to ditch support for most versions of Internet Explorer. From Tuesday, users must migrate onto the latest version according to the system their using—which for most will mean IE11.

Chris Goettl, Shavlik product manager, warned that outdated IE versions would become a bigger focus for attackers from now on.

“If you are still running applications or access sites that require IE 10 or earlier versions, you should plan to take some precautions. Restrict access to systems with outdated IE versions, virtualize them and close them off from direct internet access,” he advised.

“In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet, you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session.”

Photo © Rodu Bercan/

What’s Hot on Infosecurity Magazine?