The Hacker News

In Brief

Microsoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows.

A security bulletin, MS16-102, patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser.

Users of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file.

Web Page with PDF Can Hack Your Windows Computer

Since Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online.

Web browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users into opening a specially crafted PDF file, typically via an email or instant message, Microsoft said in its advisory.

Once exploited, the flaw corrupts memory, allowing a hacker to run malicious code with the same privileges as the user. All the hacker needs is to either lure victims to a website containing a malicious PDF or add an infected PDF file to a website that accepts user-provided content.

While this vulnerability has not been publicly disclosed nor seen in any attacked, it is expected to be an attractive attack vector for hackers.

Other Critical Bugs can Take Complete Control of Your PC

A separate critical update for Edge listed in MS16-096 patches five remote code execution (RCE) flaws and three information disclosure bugs.

The company also released its monthly cumulative security update, MS16-095, for Internet Explorer (IE), patching nine vulnerabilities that can be exploited by a malicious web page to pull off remote code execution through memory corruption bug or disclose information about the system.

Another critical update includes Microsoft Office Patch MS16-099 that addresses four memory corruption bugs in Office that can be exploited by booby-trapped documents remotely to execute malicious code on a victim's system, taking full control of the victim machines.

The update also includes a patch for an information disclosure hole in Microsoft OneNote, which discloses memory contents and information that could be used to compromise a machine.

In addition to Windows versions of Office going back to Office 2007, Microsoft is also releasing a patch for Office for Mac 2011 and 2016.

The final critical bulletin, MS16-097, patches three Remote Code Execution flaws in the font handling library of Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync that can be exploited by a malicious web page or an Office document.

For the second time, the technology giant also released a security update for Secure Boot. Rated important, MS16-100, the update patches a security feature bypass vulnerability that occurs when Secure Boot loads a vulnerable (install a hidden bootkit or rootkit) boot manager.

This designing flaw has been fixed in all supported versions of Windows and Windows Server.

Other important bulletins address vulnerabilities that lead to man-in-the-middle attacks on Windows and Windows Server, an information disclosure vulnerability in the Universal Outlook component for Windows 10, and four elevation of privilege flaws in kernel-mode drivers for Windows Vista through Windows 10 and Windows Server 2008 and 2012.

The company has also issued Cumulative Updates (KB3176493, KB3176495, KB3176492) for Windows 10 users, so those who have upgraded their systems to the Microsoft's new operating system should install the updates as soon as possible.

Users are advised to patch their system and software as soon as possible.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.