Using a thing made by Microsoft, Apple or Adobe? It probably needs a patch today

Windows, Win Server, Office, Edge, IE, Silverlight, Flash, iOS, watchOS...


Mega Patch Tuesday Microsoft is wrapping up the summer with a dump of 14 bulletins for various security vulnerabilities in its products, while Apple and Adobe are following up with fixes of their own.

The September edition of Patch Update Tuesday sees fixes released for critical issues in Windows, Windows Server, Internet Explorer, Edge, Flash Player, iOS, Xcode, and the Apple Watch.

For Microsoft, the September security load consists of the following:

  • MS16-104 An update to address ten vulnerabilities in Internet Explorer, including multiple flaws that, if targeted, allow an attacker to execute remote code execution, escape sandbox protections, or view memory content when the victim visits a specially crafted webpage.
  • MS16-105 A cumulative update for the Edge browser, patching 12 CVE-listed flaws, including seven remote code execution vulnerabilities, via malformed web pages. Also patched are information disclosure bugs that can be exploited via PDF files.
  • MS16-106 Fixes five holes in the Windows Graphics Device Interface that can be exploited by simply opening an image file or viewing a page embedded with attack code.
  • MS16-107 Patches seven security vulnerabilities in Office that allow remote code execution by way of memory corruption and private key theft by malicious Visual Basic macros.
  • MS16-108 Covers three bugs in Exchange Server that allow for user account information disclosure, elevation of privilege, and page spoofing via links embedded in email messages. The bulletin also includes a patch from Oracle to address multiple vulnerabilities in Exchange's Oracle Outside In library.
  • MS16-109 Addresses a remote code execution in Silverlight, including versions for Mac and Silverlight Developer Runtime.
  • MS16-110 An update for Windows to address four networking flaws, including a denial of service and two remote code execution vulnerabilities, and an information disclosure flaw that allows brute-force guessing of user passwords.
  • MS16-111 Fixes five elevation of privilege vulnerabilities in Windows Kernel that allow a user to hijack or steal the login credentials of other users.
  • MS16-112 Patches an elevation of privilege flaw that allows a malicious Wi-Fi hotspot to display web content on the lock screen of the targeted user.
  • MS16-113 Fixes a vulnerability in the Windows Kernel Secure Mode that allows a locally-installed malicious application to view object in memory.
  • MS16-114 A patch for a remote code execution flaw in SMB Server that allows an attacker to take over a targeted server running Windows Server 2008 or crash a system running Server 2012.
  • MS16-115 Patches a pair of bugs in Windows PDF Library that allow a malicious PDF file to access objects in memory.
  • MS16-116 Fixes a remote code execution flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine that allows a specially crafted webpage to take over the targeted system. The fix also requires that the Internet Explorer update (MS16-104) be installed in order to be effective.
  • MS16-117 Microsoft's update for Adobe Flash Player on Windows and Windows Server. The fix, listed by Microsoft as critical, addresses 26 of the type of security flaws that have earned Flash its reputation as the Internet's Screen Door.

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022