Microsoft Patches Critical Holes in Jan.

Tuesday, January 19, 2016 @ 11:01 AM gHale

Yes, it is a new year, but some monthly events keep happening as Microsoft released its first wave of security updates which includes critical fixes for remote code execution flaws.

The fixes cover Windows, Office, Edge, Internet Explorer, Silverlight and Visual Basic.

Microsoft Drops 20 CAs
IE Ending Support for Older Versions
New Malware Tool Focuses on Russia
Security Sites Vulnerable: Report

Microsoft also plugged remote code execution and elevation of privilege holes in Windows and an address spoofing flaw in Exchange Server rated important, not critical, due to various mitigating factors.

Microsoft issued nine security bulletins covering patches for 24 vulnerabilities.

One of the vulnerabilities is a security update for Windows kernel-mode drivers to address remote code execution, which is the one of the more severe of the vulnerabilities that could allow remote code execution if a user visits a malicious website.

This patch addresses a remote code execution vulnerability tracked as CVE-2016-0009 that ended up publicly disclosed, making attacks more likely.

Researchers from security firm Tripwire said patches for Internet Explorer and Microsoft Edge are important because they address vulnerabilities that could end up remotely exploited through malicious or compromised websites.

These patches are in the MS16-001 and MS16-002 security bulletins and will be the last ones that Internet Explorer versions 8 and 10 will ever receive. IE 9 will continue to have support on Windows Vista and Windows Server 2008 SP2.

Companies that use Outlook Web Access (OWA) should also look at MS16-010. Even though this bulletin rates as important, the vulnerability can allow attackers to launch business email compromise (BEC) attacks.

Such attacks have cost companies around the world $1.2 billion, according to statistics published in August by the FBI’s Internet Crime Complaint Center (IC3). It involves attackers compromising business emails, or spoofing email addresses, to instruct employees and business partners to initiate unauthorized wire transfers.

This month’s updates were also the last ones for Windows 8, which Microsoft will no longer support going forward. Windows 8 users will have to upgrade to Windows 8.1 or 10 in order to continue receiving security patches.

Click here to view the security bulletins.