Microsoft has released 16 security bulletins on Tuesday resolving a total of 44 security holes in its software, including Windows, Office, Exchange Server, Internet Explorer and Edge.
Five bulletins have been rated “critical” that could be used to carry out remote code execution and affected: Windows, Internet Explorer (IE), Edge (the new, improved IE), Microsoft Office and Office services; and the remaining 11 are marked important.
One of the critical issues, MS16-071 that caused alarm bells to go off for many security experts involves a Use-After-Free bug (CVE-2016-3227), which affects Microsoft Windows Domain Name System (DNS) servers for Windows Server 2012 and 2012 R2.
The vulnerability resides in the way servers handle requests. Attackers could send a specially crafted request to a DNS server and convinced it to run arbitrary code in the context of the Local System Account, Microsoft’s advisory warns.
Another critical vulnerability is addressed in MS16-070, which patches some security holes in Microsoft Office.
The crucial Memory Corruption Vulnerability (CVE-2016-0025) resides in Microsoft Word RTF format that could allow an attacker to run arbitrary code and take control of the system if its user was logged on with administrator rights.
An attacker could trigger the exploit with a simple e-mail containing a Microsoft Word RTF file without user interaction.
The remaining two critical bulletins address multiple remote code execution vulnerabilities in Microsoft’s browsers Internet Explorer and Edge.
Rest of the bulletins addresses vulnerabilities in Windows SMB Server, Windows NetLogon, Web Proxy Auto-Discovery (WPAD), Microsoft Exchange, Active Directory, Windows PDF and more.
Meanwhile, Adobe also rolled out security patches for DNG Software Development Kit, Brackets, Creative Cloud Desktop App, and hotfixes for ColdFusion.
However, a patch for a zero-day vulnerability (CVE-2016-4171) in Adobe Flash Player that Adobe claims is being exploited in "limited, targeted attacks" was expected today but will arrive later this week.
Anton Ivanov and Costin Raiu of Kaspersky Labs discovered and reported the zero-day vulnerability in Flash Player version 220.127.116.11 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The Flash zero-day exploit is being deployed in active espionage attacks.