Microsoft released one of the biggest security updates of the year on Tuesday, with half of the fourteen security bulletins covering critical vulnerabilities.
In total, the update addresses fifty vulnerabilities in Microsoft products and 26 in Flash Player, which is relevant due to its bundle with the Edge browser.
Some of the most important updates were for Microsoft’s Internet Explorer. The browser has a long-standing security issue labeled CVE-2016-3351, which attackers use to spread ransomware.
The update also addresses a number of other issues in Internet Explorer, ranging from version 9 of the browser all the way through to 11.
Out of the eighteen fixes, Microsoft deemed thirteen of them critical, while the other five were “moderate.”
Office and Microsoft Graphics Component
Microsoft’s update for Office fixes flaws in the security of SharePoint Server 2007, 2010 and 2013. The vulnerability lets attackers take complete control of the server via the Excel and Word automation service. As such, it’s important that any administrators using the services update as soon as possible.
Server admins will also want to install the update for Microsoft Graphics Component. It applies to Windows Server 2008 and 2012, and lets users with a domain account craft a request that will execute arbitrary code with elevated permissions.
Silverlight and Microsoft Exchange
Six of the fixes were for Microsoft Silverlight 5, which Microsoft labels as “important.” However, the vulnerability allows for remote code execution, so users may want to apply it as soon as possible.
Microsoft Exchange also got some patches, focusing on vulnerabilities in Oracle Outside In Technology. OIT is a collection of SDKs that can extract, scrub, normalize and convert unstructured file formats.
The issue was first found by researchers at Cisco’s Talos team in July, and a patch came shortly after. The vulnerability allows attackers to remotely execute code by sending a special attachment to an Exchange server. Microsoft has simply included the aforementioned patch in the update.
There are further issues that we haven’t covered here, so feel free to look at the documentation, which lists the rest, as well as more detail.