Cyber criminals have plenty of opportunity this month with 5 vulnerabilities now under active exploit, 2 of which are shared. Microsoft has released 10 bulletins this October Patch Tuesday to address those and other vulnerabilities found in both current and old code. Quick response will be of particular importance this month.
As is often the case, we will start with the browsers. First on your list of priorities should be MS16-119, a critical update for Edge. Addressing 13 CVEs, this bulletin includes an active exploit against CVE-2016-7189 allowing remote code execution which could result in deep compromise of your system. Next up is MS16-118 a cumulative, critical update for IE but with many shared Edge vulnerabilities. CVE-2016-3298 is under active exploit for both the latest and older IE releases. This is another large bulletin with 11 CVEs addressed.
Next on your list of priorities for October should be MS16-120 which is for vulnerabilities found in older versions of Microsoft Graphics Component. This is a critical update for vulnerabilities found in Windows, .NET, Office, Skype for Business, Silverlight and Lync. Of the seven total CVEs addressed in this bulletin, one is under active exploit, CVE-2016-3393.
MS16-122 is the last of the Microsoft critical bulletins however user interaction is required for an attacker to be successful. It resolves a vulnerability in Windows which could allow a remote code execution if Video Control fails to handle objects in memory correctly.
We also have another update for Adobe Flash Player, MS16-127. This critical bulletin resolves vulnerabilities described in APSB16-32 and found in Flash Player when installed on Windows 8.1, Server 2012, RT 8.1 and Windows 10.
MS16-121 is a bulletin rated important for most versions of Office that patches a RTF remote code execution vulnerability. While the bulletin is only rated important, CVE-2016-7193 is being exploited now. MS16-126, though rated only as moderate, is also under active exploit. This security update addresses an information disclosure issue in Internet Messaging API that could allow an attacker to test for the presence of files on disk.
Lastly, Microsoft announced more details around its new cumulative patch update model which were first disclosed last month on Technet. The new patch strategy is a single monthly rollup designed to streamline patches and provide you with easier, more consistent patching. HEAT Software products support this new model and the first set of security and cumulative updates now appear in the various patch feeds. Pay special attention to the names of the new patches and be sure to read up on the topic from their latest blog post.