This month’s Patch Tuesday saw Microsoft issue 11 updates fixing over 40 unique bugs, although none of them are under active attack, while Adobe issued one of its biggest updates of the year.
Microsoft customers were hit with six critical updates including MS16-084, which covers remote code execution issues in Internet Explorer; MS16-085 which addresses similar in Edge; and MS16-088, which fixes RCE vulnerabilities in Office.
MS16-086 is a cumulative update for flaws in the Jscript and VBScript scripting engines in Windows which again could allow for remote code execution if a user visits a specially crafted website.
Proper privilege management can mitigate these critical bugs, according to Shavlik product manager, Chris Goettl.
“This is a continuation of a bulletin chain dating all the way back to MS10-022 and released in April 2010. The replacement chain is nine deep, and back in December 2015, Microsoft changed the title from ‘Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution’ to ‘Cumulative Security Update for JScript and VBScript to Address Remote Code Execution’,” he explained.
“The last three in the chain appeared in consecutive Patch Tuesdays from May to July 2016. It seems a cumulative Jscript/VBScript update may be a fairly regular addition to Patch Tuesdays, so keep an eye out for that.”
Elsewhere there’s MS18-087 to deal with. This is a critical fix for RCE and elevation of privilege bugs in Microsoft Print Spooler which could be serious if an attacker can execute a man-in-the-middle attack on a workstation or print server, or set up a rogue print server on a target network.
The final critical patch is for Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows RT 8.1, Windows Server 2012 R2, and Windows 10.
It fixes 24 vulnerabilities described in the Adobe patch APSB16-25, which in total covers 52 flaws in the buggy software.
The firm also released APSB16-26, covering 30 Adobe Reader vulnerabilities on Mac and Windows platforms.
Amol Sarwate, director of Qualys Vulnerability Labs, urged users not to delay with patching.
“This is the third Acrobat Reader fix in 2016 while the count of Adobe Flash is more than double,” he said in a blog post. “As many vulnerabilities fixed by the update allow attackers to take complete control of the victim machine we recommend applying the Flash and Reader update immediately.”