Microsoft has decided to ruin the festive season for IT administrators with the release of 12 bulletins for December, six of which are critical with several bugs already publicly disclosed.
The 12 updates in question – one of which fixes Adobe flaws – cover a sizeable 48 vulnerabilities.
Internet Explorer update MS16-144 fixes three flaws (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202) which had been publicly disclosed, while Edge update MS16-145 also fixes three previously disclosed bugs: CVE-2016-7206, CVE-2016-7282, CVE-2016-7281.
Both fix critical RCE issues, as does Office bulletin MS16-148, which resolves 16 vulnerabilities.
MS16-146 addresses critical issues in the Microsoft Graphics Component, while MS16-147 is a critical update for Microsoft Uniscribe.
Microsoft’s final critical update fixes 17 bugs in Adobe Flash Player, including CVE-2016-7892 which Shavlik product manager, Chris Goettl claimed has been “used in limited targeted attacks against Windows systems running Internet Explorer (32-bit).”
Adobe lists the update as APSB16-39. It’s the only critical bulletin out of a total of nine released on Tuesday.
According to Qualys director of vulnerability labs, Amol Sarwate, the tally brings the total number of bulletins released this year by Microsoft to 155 – around 15% higher than last year.
It brings the year to a busy end for IT staff tasked with keeping key systems up-to-date.
Research released by AlienVault yesterday claimed staff shortages and workplaces stress is taking its toll on IT pros.
Nearly half (46%) of those it interviewed claimed they’d let friends and bosses circumvent security controls or IT processes at work in part because of their high workload.
As well as the Adobe and Microsoft patches, admins have also had to keep an eye out for Mozilla, with a 30 November patch fixing a zero day threat (CVE-2016-9079) affecting SVG Animation.