This week saw a host of updates issued by Microsoft to address critical flaws in Windows, although 44 security vulnerabilities in total have been addressed in the updates. These vulnerabilities affect a wide range of its products including Windows, Internet Explorer, Edge, and many of its Microsoft Office products. The updates were spread across 16 security bulletins, 6 of which were rated by Microsoft as critical. The remaining patch bundles were marked as important.
Critical Flaws in Windows Addressed this Patch Tuesday
To address the latest critical flaws in Windows, all of the patches should be applied as soon as possible. However, some are more important than others and should be prioritized. MS16-071 is perhaps the most important, especially for organizations that run their DNS server on the same machine as their Active Directory server. This update addresses critical flaws in Windows Server 2012 and Windows Server 2012 R2.
MS16-071 addresses a single flaw in Microsoft’s DNS server; however, the flaw is highly serious. Malicious actors could potentially exploit this vulnerability which allows remote code execution if an attacker send malicious requests to the DNS server. The update modifies how the DNS servers handle requests.
Microsoft has also issued updates to address vulnerabilities in Internet Explorer – MS16-063 – and Microsoft Edge – MS16-068. These two flaws would allow an attacker to gain the same rights as the current user if that individual visits malicious websites configured to exploit the vulnerability.
MS16-070 should also be updated as a priority. This security bulletin addresses a number of flaws, one of which could be exploited via spam email. It addresses vulnerability CVE-2016-0025, which concerns the Word RTF format. This could be exploited to yield RCE to the attacker. Worryingly, an attacker could exploit the flaw without an email even being opened, should that message be viewed using message preview in Microsoft Outlook.
Adobe Flash Zero Day Being Actively Exploited
While all of these updates are important, there is an even bigger worry. A new zero-day vulnerability in Adobe Flash Player has been discovered by Kaspersky Lab researchers. Adobe has been alerted that an exploit already exists for CVE-2016-4171 and that it is being actively exploited in the wild. At present, the vulnerability is being exploited in targeted attacks on organizations by a new hacking group referred to by Kaspersky Lab as “ScarCruft.”
Earlier this week, Adobe said it will delay the issuing of updates in order to address this new vulnerability. CVE-2016-4171 affects Adobe Flash v 21.0.0.242 and previous Windows, Mac, Chrome OS, and Linux versions. Updates are expected to start rolling out today.