Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Flaws in Internet Explorer, Edge

As part of its monthly security update cycle, Microsoft on Tuesday released 11 security bulletins to resolve multiple vulnerabilities in Internet Explorer, Edge, Office, JScript and VBScript, and .NET Framework.

As part of its monthly security update cycle, Microsoft on Tuesday released 11 security bulletins to resolve multiple vulnerabilities in Internet Explorer, Edge, Office, JScript and VBScript, and .NET Framework.

Microsoft’s security bulletin MS16-084 resolves 15 bugs in Internet Explorer (IE), most of which are Critical, highly likely to be exploited in the wild. The tech giant resolved multiple memory corruption vulnerabilities in the application, along with an IE security bypass flaw, information disclosure issues, and browser spoofing vulnerabilities.

Next in Microsoft’s update summary is the MS16-085 bulletin, which lists 13 security bugs in Edge, also rated Critical, as most of these flaws are likely to be exploited in the wild. Most of these flaws were scripting engine memory corruption bugs, but Microsoft also patched information disclosure issues and browser spoofing vulnerabilities.

The most severe of the vulnerabilities in IE and Edge could allow an attacker to execute code remotely on an affected system if a user views a specially crafted webpage using the browser. By successfully exploiting the vulnerability, the attacker would gain the same user rights as the current user and would be able to install programs; view, change, or delete data; or create new accounts with full user rights.

Today, Microsoft resolved a remote code execution bug (CVE-2016-3238) and an elevation of privilege issue in Windows Print Spooler CVE-2016-3239. The company also published a separate bulletin (MS16-086) for the scripting engine memory corruption vulnerability in JScript and VBScript tracked as CVE-2016-3204, which affects Internet Explorer.

Microsoft Office saw 7 vulnerabilities patched this Tuesday with the release of security bulletin MS16-088. One is a remote code execution bug (CVE-2016-3279) that can be exploited when the user opens a specially crafted file, while the remaining six are memory corruption flaws, yet a single one (CVE-2016-3281) is likely to be exploited.

The new round of updates also resolved information disclosure flaws in Windows Secure Kernel, .NET Framework, and Windows Kernel-Mode Drivers, five Elevation of Privilege flaws in Windows Kernel-Mode Drivers, security feature bypass in Secure Boot and Windows File System, and an information disclosure flaw in Windows Kernel.

 “Another glorious Patch Tuesday with a sprinkling of vulnerabilities quite a bit different than we’ve been seeing lately,” Bobby Kuzma, systems engineer at Core Security, told SecurityWeek.

Kuzma further commented:

MS16-087: It’s been a while since we’ve seen remote code execution in the print spooler of all places. It fails to validate printer drivers, so an attacker would need to be in a position to coerce users into installing the drivers, and the users would need permissions to do so.


MS16-089: A memory-handling information disclosure vulnerability. An attacker with local access would be able to read things from memory that they have no permissions for, allowing this, in concern with other vulnerabilities, to lead to the compromise of a system.


MS16-090: A privilege escalation attack, involving both the kernel and the GDI subsystem.


MS16-092: This impacts the application whitelisting functionality on Windows 8.1 and newer. I suspect we’ll be seeing a lot more like this as researchers and attackers both look for ways to bypass this technology.


MS16-094: Secure boot isn’t very secure, I’m afraid, when policy application and handling errors strip away its most critical protections. An attacker being able to disable integrity checks is the first step in establishing difficult to detect and difficult to remove persistence. AND it could potentially disable BitLocker encryption. Sounds like this vulnerability was a great tool for Folks That Spy On People.

In this month’s update summary, Microsoft also included a bulletin (MS16-093) to detail the patches that Adobe released earlier today for its Flash Player runtime, and which affect Windows users, as well as Mac, Linux, and ChromeOS users.

Related: Microsoft Patches Critical Flaws in Windows, Edge, Office

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.