Microsoft’s Patch Tuesday fixes a zero-day flaw that is being exploited in the wild by a hacker group called Strontium, a group allegedly linked to senior Russian officials.
November’s security update is a fairly large one with 14 security bulletins, six of which are critical and eight rated as important.
Some may feel the top priority for IT managers is MS16-135, which fixes a vulnerability that was disclosed by Google in a controversial manner late last month. Microsoft was left fuming after Google gave Redmond just six days to patch it before it went public.
Google justified its actions saying it normally gave software vendors extensions to its 60-day disclosure period if they say they’re working on a patch, but that doesn’t apply to bugs being actively exploited, which get only seven days.
“The November Patch Tuesday is here and it’s a big one with 14 bulletins covering 68 unique CVEs,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave. “Despite the large volume of patches, this patch cycle still promises to be less painful than Election Day here in the USA.
“Over all we have six bulletins rated Critical and eight rated Important. The Critical bulletins affect the usual suspects like Internet Explorer and Edge, GDI and Adobe Flash, but several components we rarely see also make an appearance including remote code execution vulnerabilities in Microsoft Video Control and Microsoft Windows core OS.”
“November Patch Tuesday is forced to share the spotlight this month,” said Todd Schell, Product Manager at Heat Software.
“It’s Election Day in the US and likely on the minds of most people. However, Microsoft also released 14 security updates today, 6 of which are rated critical. Thankfully, there is just one active exploit on an older version of Windows this month so once you’ve cast your vote, make sure to apply these updates.”
Schell thinks that browser updates should be the top priority for IT teams.
“MS16-129 is a critical, cumulative update for Edge. It addresses 17 unique CVEs, the most troublesome being the possibility of a remote code execution if a user views a malicious webpage while using Edge,” said Schell. “Internet Explorer users also have a critical, cumulative update in MS16-142 which could also result in a remote code execution when successfully exploited.”
Meanwhile MS16-141 is a critical update for Adobe Flash Player when installed on latter versions of Windows.
MS16-130 is a critical update for almost all versions of Windows, both desktop and server applications.
What do you know about Internet security? Find out with our quiz!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…