Microsoft fixes critical flaws in Internet Explorer and Edge

Patch Tuesday
9 Mar, 2016

Adobe also forced to patch up Acrobat again, while Mozilla updates Firefox

Microsoft today released 13 bulletins for March's Patch Tuesday, five of which are critical.

The latest bulletin from Microsoft details 39 unique vulnerabilities, which appear to affect all versions of Windows from Vista onwards, but thankfully there were no zero-day flaws.

The first critical fix this month is MS16-023, a cumulative update for Internet Explorer. This patch addresses 13 vulnerabilities that could cause a remote code execution which would allow a hacker to take over the targeted machine of a user visiting a malicious website.

Microsoft’s new browser, Edge, has also been affected, with MS16-024 reporting 11 vulnerabilities in total, 10 of which are critical.

There are also flaws in Windows PDF library (MS16-028), namely two remote code execution vulnerabilities that could be exploited when a user opens a malicious PDF file.

Word has also been updated (MS16-029). A flaw here enables a hacker to remotely execute code on target machines. There are six other updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE.

Adobe also put out a number of fixes for its products today, releasing APSB16-09 to fix three critical vulnerabilities in Adobe Reader and Acrobat.

Mozilla got on the security update action as well with the release of Firefox 45, which fixes 22 vulnerabilities in its browser.

“There are no zero-days or immediately exploitable vulnerabilities this month but apply these patches as quickly as possible anyway. We have seen attackers convert vulnerabilities into exploits quickly, often needing less than 10 days,” said Wolfgang Kandek, CTO of Qualys.

Craig Young, security researcher at Tripwire, said that systems administrators will be relieved that the March bulletin is generally straightforward, as it does not contain patches for any of the typically complex environments such as Exchange and Share Point. 

“While it is still imperative that users deploy the patches as soon as possible, it is nice to see that none of the issues fixed this month were publicly disclosed or exploited ahead of the patch drop,” he said.