Microsoft has issued 16 patches in May’s Patch Tuesday update, including eight which are rated as critical. It has warned some of the zero day flaws are being actively exploited by attackers in the wild.
“A full third of the vulnerabilities in May’s release are patched in Adobe Flash,” said Karl Sigler, Threat Intelligence Manager at Trustwave. “Since Flash is embedded in Microsoft’s IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle last month.
“These vulnerabilities in Flash are rated Critical and it’s surely just a matter of time before they get imported into popular Exploit Kits. The final Critical bulletins are being patched in MS Office, various Windows components like Microsoft Graphics Component and one rather troubling critical RCE in Windows Shell.”
Qualys CTO Wolfgang Kandek meanwhile feels that the most pressing update for system administrators responsible for Microsoft software is the update for Internet Explorer (MS16-051). This tackles a remote code execution (RCE) flaw that is currently under attack in the wild.
MS16-054 for Office is another RCE exploit and the update addresses two critical vulnerabilities in the RTF file format that can be triggered through the Outlook preview pane without users actually clicking on the malicious file.
Microsoft’s Edge browser has also been patched with MS16-052, which deals with four critical vulnerabilities that could allow RCE if a user views a specially crafted webpage using the Edge browser.
MS16-055 meanwhile a patch for the graphical subsystem in Microsoft Windows, that is also a critical flaw that could allow RCE.
Other bulletins to be aware of are MS16-057 (Windows Shell); MS16-062 (Windows Kernel drivers); and MS16-056 and MS16-059 (Windows Journal and Windows Media Center respectively).
Qualys’s Kandek also took the opportunity to warn of another vulnerability that affects the popular open source program ImageMagick. He said the flaw is currently under active attack on the Internet and allows for remote code execution through image uploads.
“This one of more intense Patch Tuesdays in a while, including a 0-day advisory for Adobe Flash,” said Kandek. “But I’m going to reiterate the urgency of another vulnerability that might have slipped you by.”
“The popular open source program ImageMagick is currently under active attack on the Internet. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file.”
Are you a security pro? Try our quiz!
US widening lead over China on AI development, as UK places third in Stanford index…
Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…
The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…
US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed
Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…
iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…