For the last Patch Tuesday for this year, Microsoft has released 12 security bulletins, half of which are rated ‘critical’ as they give attackers remote code execution capabilities on the affected computers.
The security bulletins address vulnerabilities in Microsoft’s Windows, Office, Internet Explorer and Edge.
The first critical security bulletin, MS16-144, patches a total of 8 security vulnerabilities in Internet Explorer, 3 of which had publicly been disclosed before Microsoft issued patches for them, though the company said they’re not being exploited in the wild.
The 3 publicly disclosed vulnerabilities include a Microsoft browser information disclosure vulnerability (CVE-2016-7282), a Microsoft browser security feature bypass bug (CVE-2016-7281) and a scripting engine memory corruption vulnerability (CVE-2016-7202) that allow remote code execution on the affected computer.
The remaining 5 security flaws include a scripting engine memory corruption bug, two memory corruption vulnerabilities, an information disclosure bug, and a Windows hyperlink object library information disclosure bug.
Next critical bulletin, MS16-145, addresses a total of 11 flaws in the Edge browser, 3 of which have also been publicly disclosed but the company they are not actively being exploited.
Two flaws (CVE-2016-7282 and CVE-2016-7281) are the same as in IE, and the third one is an information disclosure vulnerability (CVE-2016-7206) whose existence has also been made public.
Remaining 8 vulnerabilities allow an attacker to perform remote code execution and information disclosure.
Another critical bulletin, MS16-146, includes the monthly security patch for Microsoft graphics components, addressing two RCE flaws in Windows graphics components, as well as one Windows GDI information disclosure flaw.
The most severe flaws in each of the above bulletins are remote code execution (RCE) bugs, wherein viewing a specially crafted web page or opening a malicious document could remotely execute malicious code on a victim’s computer.
Other critical bulletins include MS16-147 that addresses a security issue in Windows Uniscribe and MS16-148 that fixes a total of 16 security flaws in Microsoft Office, Office Services, and Web Apps.
Those 16 vulnerabilities include 4 memory corruption, one Office OLE DLL side-loading flaw, 3 security feature bypass bugs, one GDI information disclosure issue, 6 MS Office information disclosure bug, and one elevation of privilege bug in Microsoft Auto Update (MAU).
Last, but not the least, critical bulletin, MS16-154, addresses a total of 17 flaws in the embedded Adobe Flash Player for Edge and Internet Explorer, one of which includes a zero-day exploited in targeted attacks.
This bulletin contains 7 use-after-free vulnerabilities that could lead to remote code execution, 4 buffer overflow flaws, 5 memory corruption bugs that could also result in remote code execution and one security bypass issue.
Remaining are the important security bulletins that address an elevation of privilege bug in the Windows Secure Kernel Mode, an information disclosure bug in the .NET framework, two elevation of privilege bulletins in Windows and the Windows kernel-mode drivers, and an information disclosure bug in Windows.
Users and IT administrators are strongly recommended to apply these critical security updates as soon as possible, since some of the vulnerabilities had already been publicly disclosed, giving hackers chance to get into your systems.