Using a thing made by Microsoft, Apple or Adobe? It probably needs a patch today
Windows, Win Server, Office, Edge, IE, Silverlight, Flash, iOS, watchOS...
Mega Patch Tuesday Microsoft is wrapping up the summer with a dump of 14 bulletins for various security vulnerabilities in its products, while Apple and Adobe are following up with fixes of their own.
The September edition of Patch Update Tuesday sees fixes released for critical issues in Windows, Windows Server, Internet Explorer, Edge, Flash Player, iOS, Xcode, and the Apple Watch.
For Microsoft, the September security load consists of the following:
- MS16-104 An update to address ten vulnerabilities in Internet Explorer, including multiple flaws that, if targeted, allow an attacker to execute remote code execution, escape sandbox protections, or view memory content when the victim visits a specially crafted webpage.
- MS16-105 A cumulative update for the Edge browser, patching 12 CVE-listed flaws, including seven remote code execution vulnerabilities, via malformed web pages. Also patched are information disclosure bugs that can be exploited via PDF files.
- MS16-106 Fixes five holes in the Windows Graphics Device Interface that can be exploited by simply opening an image file or viewing a page embedded with attack code.
- MS16-107 Patches seven security vulnerabilities in Office that allow remote code execution by way of memory corruption and private key theft by malicious Visual Basic macros.
- MS16-108 Covers three bugs in Exchange Server that allow for user account information disclosure, elevation of privilege, and page spoofing via links embedded in email messages. The bulletin also includes a patch from Oracle to address multiple vulnerabilities in Exchange's Oracle Outside In library.
- MS16-109 Addresses a remote code execution in Silverlight, including versions for Mac and Silverlight Developer Runtime.
- MS16-110 An update for Windows to address four networking flaws, including a denial of service and two remote code execution vulnerabilities, and an information disclosure flaw that allows brute-force guessing of user passwords.
- MS16-111 Fixes five elevation of privilege vulnerabilities in Windows Kernel that allow a user to hijack or steal the login credentials of other users.
- MS16-112 Patches an elevation of privilege flaw that allows a malicious Wi-Fi hotspot to display web content on the lock screen of the targeted user.
- MS16-113 Fixes a vulnerability in the Windows Kernel Secure Mode that allows a locally-installed malicious application to view object in memory.
- MS16-114 A patch for a remote code execution flaw in SMB Server that allows an attacker to take over a targeted server running Windows Server 2008 or crash a system running Server 2012.
- MS16-115 Patches a pair of bugs in Windows PDF Library that allow a malicious PDF file to access objects in memory.
- MS16-116 Fixes a remote code execution flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine that allows a specially crafted webpage to take over the targeted system. The fix also requires that the Internet Explorer update (MS16-104) be installed in order to be effective.
- MS16-117 Microsoft's update for Adobe Flash Player on Windows and Windows Server. The fix, listed by Microsoft as critical, addresses 26 of the type of security flaws that have earned Flash its reputation as the Internet's Screen Door.
Sponsored: Becoming a Pragmatic Security Leader