It's [insert month] of 2016, and your Windows PC can still be owned by [insert document type]
Another month, another patching cycle...
Critical fixes for Office, Internet Explorer, and Windows DNS Server highlight this month's edition of Patch Update Tuesday.
The Redmond Windows slinger has kicked out 16 bulletins this month, five rated as "critical" and the remaining 11 considered "important" risks.
- MS16-063 addresses 10 CVE-listed vulnerabilities in Internet Explorer 11 running on Windows 7 through Windows 10. The fix includes remote code execution flaws exploited through malicious web pages.
- MS16-068 is a fix for eight CVE-listed flaws in Edge. Like the IE flaws, the Edge vulnerabilities would allow remote code execution simply by viewing a web page on the Edge browser.
- MS16-069 addresses three flaws in the VBscript and JScript engines in Windows Vista and Server 2008/R2. The flaws would allow remote code execution by way of a specially crafted website.
- MS16-070 patches critical flaws in Microsoft Office that could be exploited by opening a malicious Office file. The update fixes three remote code execution flaws and one information disclosure vulnerability.
- MS16-071 patches a single CVE-listed remote code execution vulnerability in Windows Server 2012 and Server 2012 R2. The flaw would allow remote code execution by sending malicious DNS requests.
- MS16-072 addresses a vulnerability in Group Policy for Windows Vista through Windows 10. The flaw, CVE-2016-3223, would allow for a man-in-the-middle data collection.
- MS16-073 is a fix for three CVE flaws that allow elevation of privilege or remote code execution in Windows Vista through Windows 10 boxes and and Windows Server 2008-2012 when an attacker is able to launch a specially-crafted application.
- MS16-074 patches three flaws in Windows that allow information disclosure or remote code execution by loading a malicious website or document.
- MS16-075 is a vulnerability in Windows SMB server that allows for elevation of privilege if a user logs into a compromised server and loads a malicious application.
- MS16-076 patches a remote code execution in NetLogon for Windows Server 2008 and 2012. An attacker could target the flaw by running a specially crafted application on the targeted network.
- MS16-077 patches two vulnerabilities in the Windows Web Proxy Auto-Discovery that could allow elevation of privilege when a system attempts to target a new proxy.
- MS16-078 updates a previously patched vulnerability in the SAM and LSAD components for Windows Vista through Windows 10 and Windows Server 2008-2012.
- MS16-079 addresses four elevation of privilege and information disclosure vulnerabilities in Outlook Web Access for Windows. An attacker could use the flaw to load a message without filtering or warning.
- MS16-080 addresses two information disclosure and one remote code execution flaw in Windows when viewing a malicious PDF file. The vulnerability is present in both Windows 8.1 and Windows 10 systems.
- MS16-081 is a flaw in Active Directory for Windows Server 2008 and 2012 that could allow an attacker to perform a denial-of-service attack on a targeted server.
- MS16-082 is a denial-of-service vulnerability in Windows 7 through Windows 10 and Windows Server 2008 and 2012. The flaw could be targeted by an attacker logging into a system and running a malicious application.
Not to be outdone, Adobe is also dumping a load of patches for the second Tuesday of the month.
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360