Like it or not, here are ALL your October Microsoft patches

Redmond kicks off the era of the force-fed security update

Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.

The October security release introduces Redmond's new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

In total, ten bulletins have been bundled into the Patch Tuesday payload:

  • MS16-118 is a cumulative update for Internet Explorer to address 11 security vulnerabilities, including six remote code execution flaws, three information disclosure vulnerabilities, and two elevation of privilege conditions.
  • MS16-119 will fix 13 CVE-listed vulnerabilities present in the Edge browser. Those flaws include eight remote code execution holes, two information disclosure flaws, two elevation of privilege holes, and one security feature bypass.
  • MS16-120 addresses seven flaws in the Microsoft Graphics Component in Windows (and used by Skype and Office) that would allow remote code execution, elevation of privilege, or information disclosure by opening a web page or document containing a malformed image or font.
  • MS16-121 will fix a single remote code execution flaw in Office related to problems with the handling of RTF document files. The flaw has also been patched in Office for Mac, so OS X and macOS users should be on the lookout for an update as well.
  • MS16-122 patches a remote code execution flaw in the Windows Video Control that can be exposed with files embedded in a web page or email document.
  • MS16-123 is a patch for five CVE-listed vulnerabilities in Windows Kernel Mode Drivers that allow elevation of privilege when the user runs a locally installed application.
  • MS16-124 patches four vulnerabilities in Windows that could potentially allow local applications to view registry information.
  • MS16-125 is an update to address an elevation of privilege flaw in the Windows Diagnostic Hub related to the handling of insecure library data. That flaw could potentially be targeted via a locally installed application.
  • MS16-126 cleans up an information disclosure flaw in the Windows Internet Messaging API for Internet Explorer that Microsoft has also addressed with the above . Both bulletins will need to be installed (not a problem anymore) for the vulnerability to be fully patched.
  • MS16-127 patches twelve vulnerabilities in Flash Player for Windows 8.1, Windows 10, and Server 2012.

For those not yet getting their Flash Player fixes directly from Microsoft, Adobe has posted its own fixes for twelve remote code execution flaws in Flash.

Adobe has also posted code clean-ups for 71(!) CVE-listed security holes in Acrobat and Reader, as well as a fix for a single elevation of privilege vulnerability in Creative Cloud. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022