Microsoft moves to patch remote access bugs in IE, Edge and Windows

Datacentre admins get a break as patches target desktop flaws

Microsoft has rolled out nine security updates, some of which fix vulnerabilities allowing a hacker to take over your PC.

Part of its monthly Patch Tuesday cycle, the nine updates address flaws present in Windows Vista onwards, Office, Internet Explorer and Edge.

Five of the updates have been flagged as critical, fixing Remote Code Execution vulnerabilities that could allow a hacker to take over a victim's PC. Some of these flaws can be found in Internet Explorer (MS16-095) and Microsoft Edge (MS16-096). Hackers could take over a machine simply by making their victim visit a malicious website.

Vulnerabilities in Microsoft Office (MS16-099) could also allow remote code execution if a user opens a specially crafted Microsoft Office file. "An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user," said Microsoft in an advisory.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

MS16-097 is a critical security update for the Microsoft Graphics component, and it fixes flaws in many Microsoft software solutions, including Windows, Office, Skype for Business, and Microsoft Lync.

"The vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document," said the firm in another advisory.

There is also a vulnerability in the Windows PDF Library.

"This bug has the same sort of risk profile as MS16-099: if a potential new customer sends a request for a quote in a PDF file, you're on the horns of a dilemma," said Paul Ducklin, senior technologist at Sophos. "Do you reject it because this is your first email from them? (If so, you aren't likely to grow your business much.) Or do you open it because PDFs are widely used, and a perfectly normal part of business correspondence these days? (If so, you're accepting a small but definite risk.)"

Amol Sarwate, Qualys director of vulnerability, said in a blog post that top priority goes to patching Microsoft Office and browsers. "MS 16-099 covers issues that allow attackers to take complete control of a victim's machine remotely," he said.

"It is not too difficult to social engineer an email attachment which is targeted for users in your organisation to exploit this issue," he added.

Advertisement - Article continues below

Rapid7's security research manager, Tod Beardsley, added that this month's patches appear to concentrate on the desktop.

"It looks like IT administrators who are responsible for the datacentre machines get a break," he said.

"This is not to say the server operating systems are completely unaffected, of course. For example, Windows servers running Terminal Services tend to act as both desktop and server environments."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/operating-systems/23119/windows-10-release-date-features-devices-and-free-upgrade-microsoft-issues
operating systems

Windows PowerToys customisation project returns

10 May 2019
Visit/operating-systems/28288/how-to-factory-reset-windows-10
operating systems

How to factory reset Windows 10

26 Mar 2019
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354455/windows-7-ends-what-do-you-do-next
Microsoft Windows

Windows 7 ends: what do you do next?

4 Jan 2020

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020