Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.
Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a Secure Boot bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.
Get patching now before miscreants develop and distribute code exploiting the programming blunders. As far as we can tell, none of the bugs below are being exploited in the wild right now.
MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines. In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC.
"The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft.
- MS16-088 patches seven memory corruption vulnerabilities in Office. The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well. Basically, malicious software can be smuggled in Office documents and will infect computers when opened.
MS16-094 remedies a security bypass flaw in Windows Secure Boot. An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses Secure Boot mechanisms.
"A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained.
"An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.
"To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy. The security update addresses the vulnerability by blacklisting affected policies."
- MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes. In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below).
- MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft.
- MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server. An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system.
MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system. Essentially, a rogue printer server on a network can inject malware into connected PCs. All supported versions of Windows and Windows Server are vulnerable.
"A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system.
"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application."
- MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory.
- MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application. The bug is found in all supported versions of Windows and Windows Server.
- MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks. All supported versions of Windows and Windows Server should be updated.
Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update.
Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software.
In total, this month's patch remedies 52 CVE-listed vulnerabilities. If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks.