It’s the time of year where back to school is on the minds of many. As your brain shifts out of summer vacation mode, remember the cardinal rule of security and put it into practice: don’t provide administrative access to anyone who doesn’t absolutely have to have it. Users should ALWAYS have the least privilege they need for their jobs. For this month’s Patch Tuesday, Microsoft published 9 bulletins; 5 of which are critical. In all 5 critical updates, the attacker seeks to gain user rights. If your user has administrative rights and that attacker was successful, your ship has sunk.
In more optimistic news, none of this month’s updates are under active exploit. It’s always important to make all of the updates right away; however, you should start with MS16-095 for all systems running Internet Explorer and MS16-096 if you use Edge. Both of these are cumulative updates for the respective browsers and impact all current versions. Some of the exploits are shared across both and could result in privilege escalation and remote code executions.
Second on your list for August should be MS16-099. This critical update addresses one information disclosure vulnerability in Microsoft Office, versions 2007, 2010, 2013, 2016 and Office for Mac. Third should be MS16-097 which is a critical update for a Microsoft Graphics Component that addresses three vulnerabilities in Windows, Office, Skype for Business and Lync; common applications used by all of us.
The last critical bulletin for August is MS16-102 which is a security update for PDF Library in Windows. The remaining bulletins are ranked important and require your attention, especially if any of your users have administrative rights as mentioned above.
Also noteworthy is an Adobe update also published today, and the lack of another. There is no Flash Player update this month, which is a nice surprise, however APSB16-27 addresses Adobe Experience Manager so if you rely on that, get that update made soon.
For your homework assignment, review the bulletins from Adobe, Apple, and Oracle for the past month. They have been busy providing security updates for a wide range of their applications including Java, so don’t miss them.