All Windows users should patch these critical security flaws

The company issued 12 bulletins fixing dozens of vulnerabilities in Windows, Windows Server, Internet Explorer, and Office, and other products.
Written by Zack Whittaker, Contributor

(Image: CNET/CBS Interactive)

Another month, another batch of major Windows security flaws.

Microsoft said Tuesday as part of its its monthly security bulletin that all Windows users should patch their systems to prevent attackers from exploiting at least two critical flaws.

MS15-128 fixes a series of graphics memory corruption flaws, which can allow an attacker to install programs, view and delete data, and create new accounts with full user rights.

The flaw, , also affects Skype for Business 2016, Microsoft Lync 2010 and Lync 2013, as well as Office 2007 and Office 2010.

Another major flaw, MS15-124, affects all supported versions of Internet Explorer, which can allow an attacker to to gain the same user rights as the current user. Those running as an administrator would be most affected by the flaw.

Some of the vulnerabilities in this bulletin also affect Microsoft Edge, the company's new browser that lands on Windows 10.

An attacker would have to "take advantage of compromised websites," said the advisory. "These websites could contain specially crafted content that could exploit the vulnerabilities." An attacker could also convince a user to open a web page from an email.

Both of these flaws were privately reported and are not thought to have been exploited in the wild.

Here's the rundown for the other critical flaws:

MS15-126 addresses critical flaws in JScript and VBScript, which could allow an attacker to gain the same rights as the current user. The flaws affect Windows Vista and Windows Server 2008 (and Server Core installations).

MS15-127 fixes an issue with Windows DNS, which could allow an attacker to run code as a local system account by modifying how Windows DNS servers handle requests. Only machines running Windows Server 2008 and later are affected.

MS15-129 patches issues relating to Microsoft Silverlight for both Windows and Mac users, which could lead to read-write access violations. An attacker would have to trick a user into visiting a malicious web page to carry out the attack.

MS15-130 resolves a flaw in Windows 7 and Windows Server 2008 R2, which could allow an attacker to remotely execute code by exploiting a flaw in font processing.

MS15-131 relates to Microsoft Office 2007 users and later on both Windows machines and Macs, which could allow an attacker to remotely execute code if a user opens a specially-crafted Office file.

Microsoft also released four other patches -- MS15-132, MS15-133, MS15-134, and MS15-135 -- for "important" issues relating to Windows.

December's patches will be available through the usual update channels.

Editorial standards