Microsoft revealed one of its prominent security updates, repairing 50 defects in its products and 26 extra in Flash Player, which is packaged with its Edge browser.
The scraps are divided into 14 security news, covering the one devoted to Flash Player, seven of which are considered hazardous. They discuss defects in Windows, Internet Explorer, Microsoft Edge, Microsoft Exchange, Microsoft Office and Microsoft Office web services and apps.
For desktop utilization, managers should prioritize the dilemmas for Internet Explorer, which are included in the MS16-104 bulletin, Microsoft Edge, Microsoft Office, Microsoft Graphics Component, OLE Automation for VBScript Scripting Engine and Adobe Flash Player.
This is since these defects can be utilized to manage remote code execution by cheating users to tour bargained websites or to open individually crafted records. These are two of the very basic virus vectors applied in malware attacks.
One of the Internet Explorer and Edge defects could be used for learning exposure in a venture series. Microsoft sees in its report that still this defect has not been openly revealed, it has been used. The company did not give more reports regarding attacks supporting it.
The security update for Silverlight should also be prioritized even if though it’s considered as serious, somewhat than critical. The covered defect could also direct to remote code execution if a user tours a compromised website that carries a uniquely crafted Silverlight application.
On the server front, managers should concentrate on the update for Microsoft Exchange, which covers critical defects in the Oracle Outside In Technology (OIT). This is a set of software development kits (SDKs) that can be used to obtain, normalize, remove, change and see unorganized file formats.
Researchers from Cisco’s Talos team observed and recorded defects in Oracle OIT in the beginning of this year, signaling that they change products from many merchants, including Microsoft Exchange. Oracle issued scraps for these defects in July and Microsoft has now shipped those fixes. The Oracle OIT defects can be used to do remote code execution by only giving an email with a uniquely crafted attachment to a weak Exchange server.
In a blog post, Amol Sarwate, the director of defect labs at Qualys said:
“The Office update should also be on server administrators’ radar because it applies to Microsoft SharePoint Server 2007, 2010 and 2013 and the flaws it covers could allow attackers to take complete control of such servers by using the Word and Excel automation service. Server admins should also look at the update for Microsoft Graphics Component (MS16-106), which affects Windows servers, and at MS16-110 which applies to Server 2008 and 2012 and allows attackers with domain user account to could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.”
