Security

Don't touch that PDF or webpage until your Windows PC is patched

Microsoft blats bugs in super-secure web browser Edge, its OS, the Office suite, and more

Microsoft has patched 41 CVE-listed security vulnerabilities in its software this month.

The second Patch Tuesday monthly update of the year brings with it fixes for security flaws in both Internet Explorer and Edge that could allow remote-code-execution attacks simply by visiting a webpage.

Also fixed are remote-code-execution holes in the Windows PDF Viewer and Microsoft Office. The full list is as follows:

  • MS16-009 A cumulative update for Internet Explorer 9 through 11. The update includes fixes for 13 CVE-listed issues, including remote-code-execution flaws and information disclosure vulnerabilities. As with all IE updates, the fixes are considered a lower risk for Windows Server installations.
  • MS16-011 An update for the Edge browser in Windows 10 comprising six fixes for CVE-listed issues, four of which are remote-code-execution vulnerabilities.
  • MS16-012 A fix for two remote-code-execution vulnerabilities in Windows PDF Library and Reader for Windows 8.1, Server 2012 and Windows 10.
  • MS16-013 A memory-corruption vulnerability in Windows Journal potentially allowing remote code execution in Windows Vista, Server 2008, Windows 7, Windows 8.1, Server 2012 and Windows 10.
  • MS16-014 Five security holes in Windows, including two remote-code-execution holes and a denial-of-service condition in Windows DLL Loading. Also fixed were an elevation-of-privilege error in Windows and a Kerberos security bypass flaw.
  • MS16-015 Six memory-corruption vulnerabilities in Office, each of which could allow for remote code execution. The update covers Office 2007, 2010, 2013, 2013 RT, and Office 2016 as well as Office for Mac 2011 and 2016.
  • MS16-016 One elevation-of-privilege flaw in WebDAV for Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Windows RT 8.1 and Windows 10.
  • MS16-017 An elevation-of-privilege flaw in Remote Desktop Protocol that could allow an attacker to log in to systems that have enabled Remote Desktop, which is turned off by default. The issue affects Windows 7, Windows 8.1, Server 2012 and Windows 10.
  • MS16-018 An elevation-of-privilege flaw in the Win32k component for Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012, and Windows 10.
  • MS16-019 Updates for a denial-of-service flaw in .NET Framework and an information disclosure hole in Windows Forms. The fix covers Windows Vista, Server 2008 and 2008 R2, Windows 7, Windows 8.1 and 8.1 RT, Server 2012 and 2012 R2, and Windows 10.
  • MS16-020 A fix for one denial-of-service vulnerability in Windows Server 2012 R2. Other versions of Windows and Windows Server are not affected.
  • MS16-021 A denial-of-service vulnerability in the Network Policy Server Radius Implementation on Windows Server 2008, Server 2008 R2 and Server 2012.

After installing the Microsoft updates, users and administrators would be wise to install monthly fixes issued Tuesday by Adobe for Flash Player. The updates cover a total of 22 CVE-listed flaws for Flash, all of which could potentially be targeted for remote-code-execution attacks.

The Flash Player update also affects versions for OS X and Linux boxes. ®

Sponsored: 2016 Cyberthreat defense report