Microsoft released 13 bulletins fixing 39 vulnerabilities this Patch Tuesday, with five bulletins designed to address critical remote code execution flaws including IE and Edge browser bugs.
The first major bulletin is MS16-023, which fixes 13 flaws in Internet Explorer that could allow an attacker to remotely control an infected machine if it visits a malicious website.
IE’s replacement, the modern Edge browser, has also been found wanting. Windows 10 users will need to apply MS16-024, which addresses 11 bugs, 10 of which are critical.
The remaining three critical bulletins relate to Windows vulnerabilities. MS16-026 fixes bugs in Graphics Fonts, MS16-027 addresses Windows Media vulnerabilities and MS16-028 cleans up Windows Media Library issues.
“In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content,” commented Shavlik product manager, Chris Goettl.
“As a result, the attacker would gain equal privileges as the current user; so least privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacker's privileges because they can only execute out of the sandbox.”
The remaining eight bulletins are rated “important” and mostly address elevation of privilege bugs, so are most likely to be used following a critical exploit once an attacker has got into a target system, according to Qualys CTO, Wolfgang Kandek.
“You should address these vulnerabilities within the next 45 days to avoid this type of secondary use,” he advised.
Not to be outdone, there were also security updates from Mozilla and Adobe.
The browser maker released Firefox 45, which addresses 22 vulnerabilities, including eight critical flaws.
Also, perennial patcher Adobe has released two bulletins: APSB16-006 is a Priority 3 update for Digital Editions; and APSB16-009 is a Priority 2 update for Acrobat and Reader.
Another Flash update could also be on the way, according to Shavlik’s Goettl.
“If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it,” he explained. “This could signal the change in distribution that Adobe has warned us about for a few months now.”