Microsoft Patches Four Zero Days in Latest Update
Microsoft released 10 security bulletins on Tuesday, five of which are critical and four of which fix zero-day vulnerabilities in various systems.
The Redmond giant has made it easier for admins, however, by consolidating all IE and OS fixes into a single update. These will be served to users in two ways: a security-only update or in a cumulative monthly package which also includes non-security fixes.
“Now there are 10 bulletins, but the actual number of deployable packages is less. There will be the security only or security rollup, which will bundle MS16-118, MS16-120, MS16-122, MS16-123, MS16-124, MS16-125 and MS16-126 together in a single installer,” explained Shavlik product manager, Chris Goettl.
“For systems where you have installed a newer version of .Net you will have the .Net Rollup. Skype, Lync, Office and Flash are separate updates yet. So you could have as many as seven packages to deliver to some endpoints, but most will be getting around five actual packages to test.”
All of the critical patches are for RCE bugs and the four zero-days are found in MS16-118, MS16-119, MS16-120 and MS16-121.
MS16-118 resolves 11 IE flaws including one exploit in the wild (CVE-2016-3298), while MS16-119 fixes 13 bugs in Edge and MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight.
MS16-118 fixes a zero-day information disclosure bug (CVE-2016-3298) first disclosed in April and used by the AdGholas group as part of a malvertising campaign.
MS16-122 resolves one critical vulnerability in Windows and MS16-127 fixes 12 critical bugs in Adobe Flash Player Plug-In for Internet Explorer.
Not to be outdone, Adobe released its own security update: APSB16-32 fixes 12 critical (priority one) bugs in Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS.
Source: Information Security Magazine