Through the October Patch Tuesday yesterday, Microsoft highlighted dozens of critical flaws that were fixed. 10 security bulletins were confirmed by the company, together containing 49 vulnerabilities. The release shows how vulnerable major services are and how users can help to avoid them.
Microsoft points out that five of the critical flaws affected Internet Explorer, Edge, and Office. Those are major services. Moreover, the company says five bulletins were critical. They came from remote code execution vulnerabilities affecting Edge, Internet Explorer, Adobe Flash Player, Office, Windows, and Skype for Business.
The most worrying thing is that four of the vulnerabilities were zero-day. This means the bugs were previously unknown and are a new kind of threat. For example, the Internet Explorer zero-day is called CVE-2016-3298 and is in two bulletins.
CVE-2016-3298 gives attackers the ability to test for files on a disk. Microsoft says users would need to enter a malicious web location for the bug to exploit their system. The company adds this makes is more important that users display caution when clicking links and opening attachments from unclear sources.
Zero-Day Vulnerabilities
Office has also been subjected to a zero-day vulnerability. CVE-2016-7193 makes it easier for attackers to take over a system when a user is logged in as an administrator. Again, this would need the users to open a malicious attachment or open a nefarious website.
Microsoft has worked hard to make sure its Edge browser is secure. However, CVE-2016-7189 is an Edge zero-day that is found in the browser’s scripting engine. Once again, this could only be achieved if the users visited a website.