It was a relatively light Patch Tuesday for Microsoft this month with just nine bulletins issued, five of which were rated critical and four important.
MS16-095 and MS16-098 are cumulative fixes for Internet Explorer and Edge respectively. Both patch several remote code execution flaws and an attacker who successfully exploits the bugs could gain the same rights as the current user, according to Microsoft.
MS16-099 patches flaws in Microsoft Office including another RCE bug, while MS16-097 addresses a critical issue in the handling of fonts by the windows font library.
This fixes three vulnerabilities in Windows, Office, Skype for Business and Lync, so should be treated swiftly, according to experts.
“Users of Windows 10 using Microsoft Edge as the default browser should also focus on the Windows PDF library bug addresses in MS16-102 as it could allow attackers to control a victim machine by opening a malicious PDF,” explained Qualys director of vulnerability labs, Amol Sarwate.
In all five critical security issues attackers could seek to gain user rights – yet another reason to restrict privileges where possible, argued HEAT Software product manager, Todd Schell.
“Don’t provide administrative access to anyone who doesn’t absolutely have to have it,” he added.
All the issues addressed this month are in desktop deployments, which is also slightly unusual for a Patch Tuesday, according to Rapid7 security research manager, Todd Beardsley.
“This is not to say the server operating systems are completely unaffected, of course,” he continued.
“For example, Windows servers running Terminal Services tend to act as both desktop and server environments. For the majority of Windows server admins out there, however, you can roll out patches at a fairly leisurely pace.”
The biggest surprise this month, however, isn’t the relatively light patch load from Microsoft but the lack of a security bulletin for the under-fire Adobe Flash platform.
Adobe did release one fix though – APSB16-27, which addresses four Priority 2 flaws in Adobe Experience Manager.
Two of these (CVE-2016-4168 and CVE-2016-4170) are input validation issues that could lead to cross-site scripting attacks, one is a back-up issue which could lead to information disclosure (CVE-2016-4253) and the final one (CVE-2016-4169) “could disclose audit log events to unprivileged users.”