Patch Tuesday: Microsoft Tackles Multiple Zero-Day Flaws

Microsoft has delivered its monthly Patch Tuesday update that includes fixes for the usual suspects such as Internet Explorer, Edge and Microsoft Office.

Redmond is also changing the way it delivers its security update with a new system designed to give system administrators more time to test the patches on their own systems.

Patch Tuesday

The latest Patch Tuesday from Microsoft delivers 10 bulletins that has a total of 36 unique CVEs (Common Vulnerabilities and Exposures).

Six of these bulletins are rated critical and a large number of zero-day flaws have been fixed, so system administrators will have a busy few days ahead.

This Patch Tuesday … definitely a step back from September’s massive list, but also not a light month by any measure,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave. “Six of the bulletins are rated Critical and is mostly a list of our usual suspects, namely Internet Explorer, Edge, Graphics Component, Adobe Flash and the Microsoft Office suite.”

“The sixth Critical bulletin is in Windows Object Linking and Embedding (OLE),” wrote Sigler. “The vulnerability allows an attacker to execute arbitrary code in the context of the victim’s account by tricking the victim into opening a specific email or visiting a website.”

Microsoft has fixed zero day flaws with Internet Explorer and Edge with MS16-118 and MS16-118 respectively. MS16-121 resolves a vulnerability in Microsoft Office for an RTF remote code execution flaw. MS16-120 tackles a flaw with Microsoft Graphics Component.

MS16-127 addresses the vulnerabilities in Adobe Flash Player by updating the affected Flash libraries contained within both of Microsoft web browsers.

Researchers at Proofpoint meanwhile pointed out in a new blog post that Microsoft has patched a zero day vulnerability which was associated with the AdGholas malvertising campaign.

It seems that Proofpoint researchers Will Metcalf and Kafeine first detected AdGholas earlier this year, and they warned at the time that it had pulled in as many as one million client machines per day, and that it had been in operation since 2015.

“Threat actors, particularly those in the AdGholas and GooNky groups, continue to look for new means to exploit browser flaws,” blogged the Proofpoint researchers. “More importantly, though, they are turning to flaws that allow them to focus on ‘high-quality users’, specifically consumers rather than researchers, vendors, and sandbox environments that could detect their operations.”

Update Changes

Microsoft meanwhile has begun to change the way it delivers its Patch Tuesday update to help ease the burden on system administrators.

Microsoft’s new approach to patches will be based on a two-step method,” explained Amol Sarwate, director of Vulnerability Labs at Qualys. Firstly “Patch Tuesday … includes two main parts in itself; a security-only update and a security monthly rollup. Internet Explorer is included within this update.”

Second is “Third Tuesday …this is a monthly package of information of what to expect as a non-security fix in the next monthly rollup,” blogged Sarwate. “It details what the fixes were from the previous month to enable customers to test their systems before the next month.”

Quiz: What do you know about cybersecurity in 2016?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

12 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

17 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

1 day ago