Microsoft patches six critical security flaws affecting Windows, Office
New year, new security patches.
Microsoft said Tuesday as part of its its monthly security bulletin that all Windows users should patch their systems to prevent attackers from exploiting at least two critical flaws.
The first two critical patches fix a number of security vulnerabilities in Internet Explorer and Microsoft Edge respectively.
The most serious flaw (MS16-001) affecting Internet Explorer could allow an attacker to remotely execute code by tricking a user into visiting a specially-crafted webpage. The attacker would gain the same user rights as the current user, which puts administrators at a greater risk.
Though one of the vulnerabilities was publicly disclosed, Microsoft said it wasn't aware of any attacker exploiting the flaw.
Microsoft Edge, the new browser exclusive to Windows 10, also gets updated with a cumulative update. The most serious flaw (MS16-002) also allows an attacker to remotely execute code from a specially-crafted webpage.
Windows Server 2016 Tech Previews 3 and 4 are affected by both bulletins, and require patching.
Here's the rundown for the other critical flaws:
MS16-003 addresses a critical flaw in the VBScript engine in Windows Vista and Windows Server 2008, which could allow an attacker to take over an affected system, including the creation of new user accounts with full system rights.
Security
MS16-004 fixes a series of memory corruption vulnerabilities in Microsoft Office, which could allow an attacker to take over an affected system by exploiting a flaw in how the suite opens and modifies documents. The good news is that the user would have to be tricked into opening the file, such as through a suspicious spam email.
MS16-005 patches a critical flaw in how some versions of Windows handle objects in memory. An attacker could retrieve objects in memory, bypassing the software's randomization security feature.
MS16-006 resolves a single vulnerability in Silverlight for both Windows and Mac, which could allow an attacker to take complete control of an affected system if a user is logged in as an administrator. The vulnerability is especially problematic for users visiting websites that utilize banner-ads on websites that are affected, but the good news is that Microsoft said it was unaware of any attacker attempting to currently exploit the flaw.
Microsoft also released four other patches -- MS16-007, MS16-008, and MS16-009 -- for "important" issues relating to Windows, such as escalation of privileges and spoofing.
January's patches will be available through the usual update channels.