Fixes for critical flaws in Adobe Flash running on Microsoft’s Internet Explorer and Edge web browsers are among a slew of “important” security updates in Microsoft’s latest Patch Tuesday. 
This month’s package isn’t as bad as the one before it when there were a lot of serious vulnerabilities to deal with, but it will still top many a sys admins daily to-do list. Microsoft notes that all versions of Windows are affected, and says that users of Windows Vista and later, including Windows 10, need to get patching immediately. 
Wolfgang Kandek, chief technology officer at security firm Qualys, noted that after a busy January, things had more-or-less returned to normal.
“We are back to normal numbers on Patch Tuesday. After a light start with nine bulletins in January we are getting 12 bulletins (five critical) in February, which is in line with the average count for last year of 12.25 a month. Actually it is 13, but the last one this month, MS16-022, is more of a packaging change,” he said.
He continued: “It concerns Adobe Flash, a software package where updating has already been handled by Microsoft for the last three-and-a-half years in the Internet Explorer 10 and 11 browsers.
“The highest priority item is MS16-022, which contains fixes for 22 vulnerabilities for Adobe Flash, all of them rated as ‘critical’ and capable of handing the attacker complete control over the target machine.”
The Flash update was also singled out by Tyler Reguly, manager of software development at Tripwire, who said that this is “one of the best changes” that February has to offer. In case you missed it, no one likes Flash these days”.
He added: “One of the best changes this month is that Adobe Flash Player, embedded in Microsoft IE and Edge, has finally received its own bulletin. Previously, Microsoft updated the same Knowledge Base on a month-by-month basis with no defining elements,” he said.
“This is a welcome change and hopefully bodes well for other areas where Microsoft continues to do this.”
A large chunk of the Microsoft fixes provide protection against remote code execution (RCE) threats. One of these applies to Windows Journal, which has piqued the interested of Craig Young, a security researcher at Tripwire.
“Today marks the 12th RCE bug Microsoft is patching in Windows Journal in just 10 months. This is particularly interesting because Windows Journal vulnerabilities were basically unheard of before 2015,” he said.
“While the increased scrutiny of Windows Journal may be an indication of Microsoft’s successes in the tablet space, it is important to remember that the flaw is not limited to tablets.
“In fact, every piece of software installed on a computer adds to the potential attack surface even if that software is not frequently used,” he said.