Microsoft Fills Security Holes

Monday, February 15, 2016 @ 01:02 PM gHale

Microsoft’s February updates released last week include 13 bulletins that fix multiple vulnerabilities.

One of the bulletins, MS16-022, fixes the 22 Flash Player holes fixed by Adobe last week. Microsoft patched the Flash libraries used in Internet Explorer 10 and 11, and Edge.

Microsoft Releases EMET 5.5
New Protection from Unwanted Applications
Edge Now Blocks Code Injection
Microsoft’s Security Updates

The list of bulletins rated critical includes MS16-009 and MS16-011, which contain security updates for Internet Explorer and Edge. The Internet Explorer advisory describes 13 flaws, four of which also affect Edge. There are two vulnerabilities specific to Edge.

Another critical bulletin is MS16-015, which patches Microsoft Office security holes an attacker could leverage to execute arbitrary code in the context of the targeted user by getting them to open a specially crafted Office file. If the victim is an administrator, an attacker could take control of the vulnerable system.

MS16-013 patches a critical memory corruption vulnerability in Windows Journal. An attacker who can convince a user to open a specially crafted Journal file can execute arbitrary code on the targeted system with the victim’s privileges.

A critical update for Windows 8.1, Windows Server 2012 and Windows 10 resolves a remote code execution vulnerability affecting the PDF Library used in these versions of the operating system.

An “important” Windows bulletin is MS16-014, which patches flaws that can end up leveraged for remote code execution, denial-of-service (DoS), and Kerberos bypass attacks. The other bulletins rated “important” patch various types of security bugs in Windows and the .NET Framework.

While there is no indication any of the vulnerabilities patched this month have undergone attacks, however, Microsoft’s advisories said exploits for a Windows privilege escalation flaw (CVE-2016-0040) and a SharePoint XSS bug (CVE-2016-0039) ended up publicly disclosed.