Like it or not, here are ALL your October Microsoft patches

Redmond kicks off the era of the force-fed security update


Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.

The October security release introduces Redmond's new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

In total, ten bulletins have been bundled into the Patch Tuesday payload:

  • MS16-118 is a cumulative update for Internet Explorer to address 11 security vulnerabilities, including six remote code execution flaws, three information disclosure vulnerabilities, and two elevation of privilege conditions.
  • MS16-119 will fix 13 CVE-listed vulnerabilities present in the Edge browser. Those flaws include eight remote code execution holes, two information disclosure flaws, two elevation of privilege holes, and one security feature bypass.
  • MS16-120 addresses seven flaws in the Microsoft Graphics Component in Windows (and used by Skype and Office) that would allow remote code execution, elevation of privilege, or information disclosure by opening a web page or document containing a malformed image or font.
  • MS16-121 will fix a single remote code execution flaw in Office related to problems with the handling of RTF document files. The flaw has also been patched in Office for Mac, so OS X and macOS users should be on the lookout for an update as well.
  • MS16-122 patches a remote code execution flaw in the Windows Video Control that can be exposed with files embedded in a web page or email document.
  • MS16-123 is a patch for five CVE-listed vulnerabilities in Windows Kernel Mode Drivers that allow elevation of privilege when the user runs a locally installed application.
  • MS16-124 patches four vulnerabilities in Windows that could potentially allow local applications to view registry information.
  • MS16-125 is an update to address an elevation of privilege flaw in the Windows Diagnostic Hub related to the handling of insecure library data. That flaw could potentially be targeted via a locally installed application.
  • MS16-126 cleans up an information disclosure flaw in the Windows Internet Messaging API for Internet Explorer that Microsoft has also addressed with the above . Both bulletins will need to be installed (not a problem anymore) for the vulnerability to be fully patched.
  • MS16-127 patches twelve vulnerabilities in Flash Player for Windows 8.1, Windows 10, and Server 2012.

For those not yet getting their Flash Player fixes directly from Microsoft, Adobe has posted its own fixes for twelve remote code execution flaws in Flash.

Adobe has also posted code clean-ups for 71(!) CVE-listed security holes in Acrobat and Reader, as well as a fix for a single elevation of privilege vulnerability in Creative Cloud. ®

Similar topics


Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021