Sign up to our newsletter
Every month has a second Tuesday, and that means every month has a Patch Tuesday – the day when Microsoft issues its regular as clockwork bundle of security updates, fixing vulnerabilities in its software that could be exploited by malicious hackers.
Yesterday was no exception, as Microsoft issued nine security bulletins – five of which were given the highest severity rating of “critical”.
Most of the critical vulnerabilities are to be found in Microsoft’s web browsers – Internet Explorer and Edge – opening the door for attacks to be instigated simply by visiting a poisoned webpage.
But it’s not just buggy browsers. Microsoft Office is also in the firing line. As Microsoft Security Bulletin MS16-099 explains, computers are put at risk if users open a maliciously-crafted Word document:
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
It’s easy to imagine that such a vulnerability could be exploited by malicious hackers who launch a targeted attack against an organisation by sending employees a carefully socially-engineered email with a boobytrapped document attached.
Another critical vulnerability, addressed by the MS16-097 patch, tackles addresses a problem with how Windows handles fonts, that could lead to remote code execution. The font vulnerabilities impact Microsoft Office, Skype for Business, and Microsoft Lync as well as Windows.
And the much-maligned PDF file format is having yet more headaches. MS16-102 describes how Edge users on Windows 10 are particularly vulnerable to being struck by poisoned PDFs on compromised websites:
To exploit the vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains malicious PDF content and then convince users to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.
As ever, you can mitigate some of the risk by ensuring that users are not running Windows in Administrator mode.
The good news is that there are currently no known exploitations in the wild of the vulnerabilities patched by Microsoft, but you would be wise not to rest on your laurels. Whenever Microsoft issues security updates, make sure to roll them out onto vulnerable computers at your earliest opportunity to limit any potential window of attack.
Enterprise customers are recommended to test that the patches do not cause any problems during roll-out on a test set of PCs, before updating all of their computers across the business.
Author Graham Cluley, We Live Security