Using a thing made by Microsoft, Apple or Adobe? It probably needs a patch today
Windows, Win Server, Office, Edge, IE, Silverlight, Flash, iOS, watchOS...
Mega Patch Tuesday Microsoft is wrapping up the summer with a dump of 14 bulletins for various security vulnerabilities in its products, while Apple and Adobe are following up with fixes of their own.
The September edition of Patch Update Tuesday sees fixes released for critical issues in Windows, Windows Server, Internet Explorer, Edge, Flash Player, iOS, Xcode, and the Apple Watch.
For Microsoft, the September security load consists of the following:
- MS16-104 An update to address ten vulnerabilities in Internet Explorer, including multiple flaws that, if targeted, allow an attacker to execute remote code execution, escape sandbox protections, or view memory content when the victim visits a specially crafted webpage.
- MS16-105 A cumulative update for the Edge browser, patching 12 CVE-listed flaws, including seven remote code execution vulnerabilities, via malformed web pages. Also patched are information disclosure bugs that can be exploited via PDF files.
- MS16-106 Fixes five holes in the Windows Graphics Device Interface that can be exploited by simply opening an image file or viewing a page embedded with attack code.
- MS16-107 Patches seven security vulnerabilities in Office that allow remote code execution by way of memory corruption and private key theft by malicious Visual Basic macros.
- MS16-108 Covers three bugs in Exchange Server that allow for user account information disclosure, elevation of privilege, and page spoofing via links embedded in email messages. The bulletin also includes a patch from Oracle to address multiple vulnerabilities in Exchange's Oracle Outside In library.
- MS16-109 Addresses a remote code execution in Silverlight, including versions for Mac and Silverlight Developer Runtime.
- MS16-110 An update for Windows to address four networking flaws, including a denial of service and two remote code execution vulnerabilities, and an information disclosure flaw that allows brute-force guessing of user passwords.
- MS16-111 Fixes five elevation of privilege vulnerabilities in Windows Kernel that allow a user to hijack or steal the login credentials of other users.
- MS16-112 Patches an elevation of privilege flaw that allows a malicious Wi-Fi hotspot to display web content on the lock screen of the targeted user.
- MS16-113 Fixes a vulnerability in the Windows Kernel Secure Mode that allows a locally-installed malicious application to view object in memory.
- MS16-114 A patch for a remote code execution flaw in SMB Server that allows an attacker to take over a targeted server running Windows Server 2008 or crash a system running Server 2012.
- MS16-115 Patches a pair of bugs in Windows PDF Library that allow a malicious PDF file to access objects in memory.
- MS16-116 Fixes a remote code execution flaw in Microsoft OLE Automation mechanism and the VBScript Scripting Engine that allows a specially crafted webpage to take over the targeted system. The fix also requires that the Internet Explorer update (MS16-104) be installed in order to be effective.
- MS16-117 Microsoft's update for Adobe Flash Player on Windows and Windows Server. The fix, listed by Microsoft as critical, addresses 26 of the type of security flaws that have earned Flash its reputation as the Internet's Screen Door.
Apple and Adobe follow Redmond's lead
Apple, meanwhile, has pushed out security fixes of its own for its software. The iPhone maker released iOS 10 and 10.0.1 on Tuesday and was immediately beset by a number of users complaining that their devices had been bricked upon installation of the new OS. This problem has apparently now been fixed, so updating your iThing to iOS 10 will work as expected.
If you've downloaded the dodgy upgrade but not installed it, delete it and fetch the working version. If you installed the faulty update, you will need to wipe and restore your device before getting back iOS 10.0.1. Let's hope you kept a backup.
For those who do get through the process unscathed, iOS 10.0.1 includes fixes for seven CVE-listed security vulnerabilities. Those flaws include a vulnerability that allows for user email credentials to be stolen, a flaw that causes keyboard auto-correct to reveal user passwords as suggestions, and a vulnerability that prevents an infected iOS device from receiving updates from Apple (though if you've already fallen victim to that one you would have a hard time getting the fix, wouldn't you?)
Apple has also released the WatchOS 3 update ahead of the Friday release for the new Apple Watch line. The security content of the firmware update addresses a flaw in PlaceData that allows applications to view a wearer's location details.
And then there's Adobe, who posted an update for Flash Player that addresses 29 CVE-listed security flaws, including multiple remote code execution vulnerabilities in the Windows, Linux, OS X and ChromeOS versions of the browser plug-in.
After you have patched (or killed) Flash Player, Adobe also recommends updating any installed copies of Digital Editions to address seven security flaws and Air SDK, which has a fix for a secure transmission vulnerability. ®