Microsoft has rolled out nine security updates, some of which fix vulnerabilities allowing a hacker to take over your PC.
Part of its monthly Patch Tuesday cycle, the nine updates address flaws present in Windows Vista onwards, Office, Internet Explorer and Edge.
Five of the updates have been flagged as critical, fixing Remote Code Execution vulnerabilities that could allow a hacker to take over a victim's PC. Some of these flaws can be found in Internet Explorer (MS16-095) and Microsoft Edge (MS16-096). Hackers could take over a machine simply by making their victim visit a malicious website.
Vulnerabilities in Microsoft Office (MS16-099) could also allow remote code execution if a user opens a specially crafted Microsoft Office file. "An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user," said Microsoft in an advisory.
MS16-097 is a critical security update for the Microsoft Graphics component, and it fixes flaws in many Microsoft software solutions, including Windows, Office, Skype for Business, and Microsoft Lync.
"The vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document," said the firm in another advisory.
There is also a vulnerability in the Windows PDF Library.
"This bug has the same sort of risk profile as MS16-099: if a potential new customer sends a request for a quote in a PDF file, you're on the horns of a dilemma," said Paul Ducklin, senior technologist at Sophos. "Do you reject it because this is your first email from them? (If so, you aren't likely to grow your business much.) Or do you open it because PDFs are widely used, and a perfectly normal part of business correspondence these days? (If so, you're accepting a small but definite risk.)"
Amol Sarwate, Qualys director of vulnerability, said in a blog post that top priority goes to patching Microsoft Office and browsers. "MS 16-099 covers issues that allow attackers to take complete control of a victim's machine remotely," he said.
"It is not too difficult to social engineer an email attachment which is targeted for users in your organisation to exploit this issue," he added.
Rapid7's security research manager, Tod Beardsley, added that this month's patches appear to concentrate on the desktop.
"It looks like IT administrators who are responsible for the datacentre machines get a break," he said.
"This is not to say the server operating systems are completely unaffected, of course. For example, Windows servers running Terminal Services tend to act as both desktop and server environments."
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Recall arrives for Intel and AMD devices after months of controversyNews Microsoft's Recall feature is now available in preview for customers using AMD and Intel devices.
-
With one year to go until Windows 10 end of life, here’s what businesses should do to prepareNews IT teams need to migrate soon or risk a plethora of security and sustainability issues
-
Microsoft is doubling down on Widows Recall, adding new security and privacy features – will this help woo hesitant enterprise users?
News The controversial AI-powered snapshotting tool can be uninstalled, Microsoft says
-
Microsoft patches rollback flaw in Windows 10News Patch Tuesday includes protection for a Windows 10 "downgrade" style attack after first being spotted in August
-
Companies “wary” of Windows 11 migration challenges as Windows 10 EOL draws closer
News A recent study shows that only a fraction are running Windows 11, despite a rapidly-approaching end of life deadline
-
New Windows vulnerability could repeatedly trigger the blue screen of death on millions of devicesNews Attackers could exploit the Windows vulnerability to repeatedly crash machines and trigger a blue screen of death, according to researchers at Fortra
-
Here’s how much Windows 10 could cost if you don’t upgrade this yearNews Windows 10 extended security updates will cost users dearly, with prices rising incrementally each year.
-
Linux just hit an all-time high share of the global desktop market — and surging popularity in India is driving uptake of the open source operating systemNews Linux is still dwarfed by operating systems such as Windows, but it’s making modest gains off the back of growing popularity in emerging markets
