It was a relatively light month for critical security patches, but one major vulnerability affects every supported version of Windows.
Microsoft said in its latest monthly security bulletin — its so-called Patch Tuesday — that users of Windows Vista and later, including Windows 10, should patch immediately to prevent a serious flaw in how the operating system handles certain files.
The serious vulnerability (MS16-013) could allow an attacker to run arbitrary code as the logged-in user. Administrator accounts are at the greatest risk. An attacker would have to trick a user into opening a specially-crafted Journal file, which would let the attacker run programs, delete data, and create new accounts with full user rights.
Windows Server 2016 Tech Preview 4 is also affected by the vulnerability, and requires patching. The good news is that Microsoft said it wasn’t aware of an attacker exploiting the flaw.
The software giant also released three other critical flaws affecting Windows and Office.
MS16-012 addresses a vulnerabilities which could allow an attacker to run code on an affected system by tricking a user into opening a specially-crafted PDF file. Users on Windows 8.1 and Windows 10 are mostly affected. The flaw was privately reported to Microsoft, and is not thought to have been exploited by attackers.
MS16-015 fixes a number of memory corruption flaws in Microsoft Office, which could let an attacker to remotely execute code if a user opens a specially-crafted Office file. An attacker would have the same access to the system as the logged-in user. The flaws were privately reported, except a separate SharePoint cross-site scripting flaw, which was publicly disclosed.
MS16-022 patches more than two-dozen separate vulnerabilities with Adobe Flash Player on all Windows 8.1 and higher.
In line with every monthly set of bulletins, the company also rolled out a cumulative patch to Internet Explorer (MS16-009) and its newer browser, Microsoft Edge for Windows 10 (MS16-011).
Of the most serious flaws, an attacker could exploit flaws in how Internet Explorer and the Edge browser handles objects in memory and parse HTTP responses.
All of the vulnerabilities were privately reported to Microsoft, and are not thought to have been exploited by attackers.
Microsoft also released four other patches — MS16-014, MS16-016, MS16-017, MS16-018, MS16-019, MS16-020, and MS16-021 — for “important” issues, such as address elevation of privileges and denial-of-service issues.
February’s patches will be available through the usual update channels.
Post your thoughts below in the comment section.