Microsoft fixes critical flaws in Windows, IE, Edge, and Office

Patches for more than 40 flaws are covered in 16 security bulletins, six of which rated critical

Microsoft has fixed more than 40 vulnerabilities in its products Tuesday, including critical ones in Windows, Internet Explorer, Edge, and Office.

The vulnerabilities are covered in 16 security bulletins, six of which are marked as critical and the rest as important. This puts the total number of Microsoft security bulletins for the past six months to more than 160, a six-month record during the past decade.

Companies running Windows servers should prioritize a patch for a critical remote code execution vulnerability in the Microsoft DNS Server component, covered in the MS16-071 bulletin.

Attackers can exploit this vulnerability by sending specifically crafted DNS requests to a Windows Server 2012 or a Windows Server 2012 R2 deployment configured as a DNS server.

"The impact of this vulnerability is "extremely worrisome on such a mission critical service such as DNS," Wolfgang Kandek, CTO of security vendor Qualys, said in a blog post. "Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability."

The critical bulletins for Internet Explorer and Edge, namely MS16-063 and MS16-068, should also be high on the priority list because they cover remote code execution flaws that can be exploited by simply browsing to a specially crafted website.

Next on the list should be the Microsoft Office security bulletin, MS16-070, because the applications in the Office suite are a common target for attackers, particularly through malicious email attachments.

Kandek believes that the most important vulnerability in the Office bulletin is a remote code execution flaw tracked as CVE-2016-0025 that stems from the Microsoft Word RTF format.

"Since RTF can be used to attack through Outlook’s preview pane, the flaw can be triggered with a simple e-mail without user interaction," he said.

Even though 10 security bulletins are marked as Important, companies should evaluate them in the context of their particular environments. Some of them might turn out to be urgent to some assets.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftWindows

More about MicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place