It was a relatively light month for critical security patches, but one major vulnerability affects every supported version of Windows.
Microsoft said in its latest monthly security bulletin -- its so-called Patch Tuesday -- that users of Windows Vista and later, including Windows 10, should patch immediately to prevent a serious flaw in how the operating system handles certain files.
The serious vulnerability (MS16-013) could allow an attacker to run arbitrary code as the logged-in user. Administrator accounts are at the greatest risk. An attacker would have to trick a user into opening a specially-crafted Journal file, which would let the attacker run programs, delete data, and create new accounts with full user rights.
Windows Server 2016 Tech Preview 4 is also affected by the vulnerability, and requires patching. The good news is that Microsoft said it wasn't aware of an attacker exploiting the flaw.
The software giant also released three other critical flaws affecting Windows and Office.
MS16-012 addresses a vulnerabilities which could allow an attacker to run code on an affected system by tricking a user into opening a specially-crafted PDF file. Users on Windows 8.1 and Windows 10 are mostly affected. The flaw was privately reported to Microsoft, and is not thought to have been exploited by attackers.
MS16-015 fixes a number of memory corruption flaws in Microsoft Office, which could let an attacker to remotely execute code if a user opens a specially-crafted Office file. An attacker would have the same access to the system as the logged-in user. The flaws were privately reported, except a separate SharePoint cross-site scripting flaw, which was publicly disclosed.
MS16-022 patches more than two-dozen separate vulnerabilities with Adobe Flash Player on all Windows 8.1 and higher.
In line with every monthly set of bulletins, the company also rolled out a cumulative patch to Internet Explorer (MS16-009) and its newer browser, Microsoft Edge for Windows 10 (MS16-011).