Microsoft has issued 16 patches in May’s Patch Tuesday update, including eight which are rated as critical. It has warned some of the zero day flaws are being actively exploited by attackers in the wild.
“A full third of the vulnerabilities in May’s release are patched in Adobe Flash,” said Karl Sigler, Threat Intelligence Manager at Trustwave. “Since Flash is embedded in Microsoft’s IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle last month.
“These vulnerabilities in Flash are rated Critical and it’s surely just a matter of time before they get imported into popular Exploit Kits. The final Critical bulletins are being patched in MS Office, various Windows components like Microsoft Graphics Component and one rather troubling critical RCE in Windows Shell.”
Qualys CTO Wolfgang Kandek meanwhile feels that the most pressing update for system administrators responsible for Microsoft software is the update for Internet Explorer (MS16-051). This tackles a remote code execution (RCE) flaw that is currently under attack in the wild.
MS16-054 for Office is another RCE exploit and the update addresses two critical vulnerabilities in the RTF file format that can be triggered through the Outlook preview pane without users actually clicking on the malicious file.
Microsoft’s Edge browser has also been patched with MS16-052, which deals with four critical vulnerabilities that could allow RCE if a user views a specially crafted webpage using the Edge browser.
MS16-055 meanwhile a patch for the graphical subsystem in Microsoft Windows, that is also a critical flaw that could allow RCE.
Other bulletins to be aware of are MS16-057 (Windows Shell); MS16-062 (Windows Kernel drivers); and MS16-056 and MS16-059 (Windows Journal and Windows Media Center respectively).
Qualys’s Kandek also took the opportunity to warn of another vulnerability that affects the popular open source program ImageMagick. He said the flaw is currently under active attack on the Internet and allows for remote code execution through image uploads.
“This one of more intense Patch Tuesdays in a while, including a 0-day advisory for Adobe Flash,” said Kandek. “But I’m going to reiterate the urgency of another vulnerability that might have slipped you by.”
“The popular open source program ImageMagick is currently under active attack on the Internet. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file.”
Are you a security pro? Try our quiz!
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…