Redmond kicks off the era of the force-fed security update
Microsoft is kicking off a controversial new security program this month by packaging all of its security updates into a single payload.
The October security release introduces Redmond’s new policy of bundling all security bulletins as one download. While more convenient for end users, who now get just one bundle, the move will irk many administrators, who had preferred to individually test and apply each patch to avoid compatibility problems.

In total, ten bulletins have been bundled into the Patch Tuesday payload:
MS16-118 is a cumulative update for Internet Explorer to address 11 security vulnerabilities, including six remote code execution flaws, three information disclosure vulnerabilities, and two elevation of privilege conditions.
MS16-119 will fix 13 CVE-listed vulnerabilities present in the Edge browser.

Those flaws include eight remote code execution holes, two information disclosure flaws, two elevation of privilege holes, and one security feature bypass.
MS16-120 addresses seven flaws in the Microsoft Graphics Component in Windows (and used by Skype and Office) that would allow remote code execution, elevation of privilege, or information disclosure by opening a web page or document containing a malformed image or font.
MS16-121 will fix a single remote code execution flaw in Office related to problems with the handling of RTF document files.

The flaw has also been patched in Office for Mac, so OS X and macOS users should be on the lookout for an update as well.
MS16-122 patches a remote code execution flaw in the Windows Video Control that can be exposed with files embedded in a web page or email document.
MS16-123 is a patch for five CVE-listed vulnerabilities in Windows Kernel Mode Drivers that allow elevation of privilege when the user runs a locally installed application.
MS16-124 patches four vulnerabilities in Windows that could potentially allow local applications to view registry information.
MS16-125 is an update to address an elevation of privilege flaw in the Windows Diagnostic Hub related to the handling of insecure library data.

That flaw could potentially be targeted via a locally installed application.
MS16-126 cleans up an information disclosure flaw in the Windows Internet Messaging API for Internet Explorer that Microsoft has also addressed with the above .

Both bulletins will need to be installed (not a problem anymore) for the vulnerability to be fully patched.
MS16-127 patches twelve vulnerabilities in Flash Player for Windows 8.1, Windows 10, and Server 2012.
For those not yet getting their Flash Player fixes directly from Microsoft, Adobe has posted its own fixes for twelve remote code execution flaws in Flash.
Adobe has also posted code clean-ups for 71(!) CVE-listed security holes in Acrobat and Reader, as well as a fix for a single elevation of privilege vulnerability in Creative Cloud. ®

Leave a Reply