Patch Tuesday brought in a number of software and security updates today, including fixes for some of Adobe's products. This month, Adobe has fixed 54 security flaws in Flash Player, including bugs that are being exploited in the wild. Along with Adobe, Microsoft also released some important security updates to Internet Explorer and its Edge browser.
Patch Tuesday brings more fixes to Flash Player
Flash Player, Acrobat, Reader, and XMP Toolkit for Java received security updates in today's Patch Tuesday releases. Fixing several critical vulnerabilities affecting Windows, OS X, Chrome OS, and Linux, users are advised to update to the latest version of the above products if they are not automatically updated. If you are using Flash Player, Adobe Flash Player version 126.96.36.199 and Flash Player Extended Support Release 188.8.131.526 for Windows and Mac, and Adobe Flash Player for Linux 184.108.40.2062 are the latest versions of Flash that have fixed some critical vulnerabilities. The same version (220.127.116.11) also resolves the issues in Chrome browser on Windows, OS X, Linux and Chrome OS, along with the Flash for Microsoft Edge and Internet Explorer for Windows 8.1 and Windows 10.
This month's security patch has fixed several vulnerabilities in Flash, including:
- A race condition bug that could lead to information disclosure (CVE-2016-4247)
- Memory leak vulnerability (CVE-2016-4232)
- Security bypass vulnerability leading to information disclosure (CVE-2016-4178)
- Type confusion flaw
- Use-after-free vulnerabilities
- Heap buffer overflow (CVE-2016-4249)
- Stack corruption (CVE-2016-4176, CVE-2016-4177)
- 33 memory corruption vulnerabilities that could lead to code execution
Microsoft patches flaws in Internet Explorer, Edge and Office
Patch Tuesday also brought in 11 security bulletins from Microsoft that aim to resolve multiple vulnerabilities, including a flaw that could offer remote code execution capabilities to an attacker on an affected machine. Patches have been sent to Internet Explorer, Microsoft Edge, Office, and JScript, VBScript, and .Net Framework.
Internet Explorer has received bug fixes for 15 vulnerabilities, almost all rated critical. Microsoft has resolved multiple memory corruption, security bypass, information disclosure, and browser spoofing vulnerabilities.
Microsoft's Edge browser received 13 bug fixes today, again many rated critical with high chances of being exploited in the wild. Not sure what happened to Microsoft's claim of Edge being the most secure browser, which is celebrating its first anniversary of initial public release this month. But, it's good to see these bugs being fixed timely. Both IE and Edge were facing a critical vulnerability that could allow attackers to execute code remotely on target machines.
The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Along with the now-popular Patch Tuesday releases for Flash Player and Microsoft's browsers, Office also received a patch for 7 vulnerabilities, including a remote code execution bug. Users are strongly advised to install these security updates as soon as they become available in their regions. For more details, please visit Adobe and Microsoft.