In BriefYou should not miss this month’s Patch Updates, as it brings fixes for critical issues in Adobe Flash Player, iOS, Xcode, the Apple Watch, Windows, Internet Explorer, and the Edge browser.
Adobe has rolled out a critical update to address several issues, most of which are Remote Code Execution flaws, in its widely-used Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. Whereas, Microsoft has released 14 security updates to fix a total of 50 vulnerabilities in Windows and related software.
First of all, if you have Adobe Flash Player installed and have not yet updated your software plugin, you are playing with fire.
Critical Flash Vulnerabilities Affect Windows, Mac, Linux and ChromeOS
Adobe has released its latest round of security patches to address critical vulnerabilities in Adobe Flash Player for Windows, Mac OS X, Linux and ChromeOS.
The Flash vulnerabilities could potentially allow an attacker to take control of the vulnerable system. So, users are strongly advised to update to Flash Player version 220.127.116.11 before hackers have their hands on it.
However, the best advice I can give you is to ditch this insecure, buggy software once and for all and significantly improve the security of your system in the process.
Even PornHub said Good Bye to Flash Player, so it's no longer an excuse for you to keep Flash on your PC ;)
Meanwhile, Microsoft has released its September 2016 Patch Update that includes 14 bulletins, seven of which earned its most dire "critical" rating and seven are rated as "important," addressing a total of 50 vulnerabilities.
Critical Zero-Day Exploit in the Wild
The most critical vulnerability addressed by Microsoft in the MS16-104 and MS16-105 update is a zero-day vulnerability in Internet Explorer (IE) and Edge.
Dubbed Microsoft Browser Information Disclosure Vulnerability (CVE-2016-3351), the zero-day flaw could allow an attacker to perform remote code execution attacks by tricking a victim to view a specially crafted webpage using Internet Explorer or Edge.
If exploited successfully, the attacker would gain the same user rights as the current user and could take control of an affected system, if the victim is logged on with administrative user rights, potentially allowing the attacker to install malware, modify or delete data, or even create new accounts with full user rights.
This informational disclosure bug was first reported by Proofpoint researchers with the help of Trend Micro in 2015, when they uncovered a massive malvertising campaign, dubbed AdGholas, actively exploiting the CVE-2016-3351 flaw.
The researchers also found another hacking group named GooNky actively exploiting the flaw. For in-depth details about the flaw, you can head on to Proofpoint's blog post.
Another critical bulletin MS16-108 affecting organizations using Exchange Server for their email platform addresses a file format parsing flaw that could be exploited by attackers using remote-code execution to get full control of the Exchange Server. This flaw affects all supported versions of Exchange Server.
To exploit the flaw, all an attacker needs is to send a malicious file to anyone in the organization and Boom! Exchange Server pre-parses to find out the file type, which would get the malicious exploit triggered before users even get the file.
Other Critical and Important flaws in Windows and its Software
Other critical Bulletins include MS16-106 that fixes five holes in the Windows Graphics Device Interface; MS16-107 that contains patches for Microsoft Office and SharePoint to address a total of 13 vulnerabilities; MS16-116 that fixes a RCE flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine; and MS16-117 that includes critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.
Note: The MS16-11 fix requires users to first apply the Internet Explorer update (MS16-104) in order to be effective.
Important Bulletins include fixes for RCE flaws in Windows, SMBv1 Server and Silverlight; elevation of privilege flaws in the Windows Kernel and Windows Lock Screen; an information disclosure bug in the Windows Secure Kernel Mode; and a pair of information disclosure vulnerabilities in Windows PDF Library.
Users are advised to apply Windows as well as Adobe patches to keep away hackers and cybercriminals from taking control over your computer.
Microsoft Ends Tuesday Patches Trend
The September Patch Update was the last traditional Windows Patch Tuesday as the tech giant is moving to a new patching release model.
The future patch updates will bundle all patches together, and you will no longer be able to select which updates to install. The whole package of patches will be installed altogether, which will leave no chance for hackers to target vulnerabilities for which patches are already released.
In addition, the new "Monthly Rollup" will be combined and delivered to the users. Like the November patch update will also include all the patches from October.