October 11, 2016
Microsoft today patched a handful of zero-day vulnerabilities that have been publicly attacked in Internet Explorer, Edge, Windows and Office products. The security updates were included among 10 Patch Tuesday bulletins, half of which were rated critical by Microsoft. Today also signaled the first time Microsoft issued security updates for older Windows versions (Windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative security and feature updates.
Last week Microsoft announced that admins will have three choices for patch distribution going forward: a single update that includes all new patches for the month available on WSUS; a monthly security update that includes new patches for the month and patches from previous monthly rollups available via Windows Update; and a monthly rollup with a preview of upcoming feature updates and patches from previous rollups to be delivered via WSUS on the third Tuesday of every month. None of the zero-day vulnerabilities were publicly disclosed prior to today, but Microsoft said it was aware of attacks exploiting the flaws. The Internet Explorer zero day, CVE-2016-3298, was one of 11 remote code execution flaws patched in a cumulative update, MS16-118. The flaw is an information-disclosure vulnerability and could allow an attacker to “test for the presence of files on disk,” Microsoft said, adding that a user would have to visit a malicious website via IE 9-11 to trigger the vulnerability. The update also patches a mix of memory corruption and privilege elevation flaws, all of which enable remote code execution. The Microsoft Edge bulletin, MS16-119, also includes a patch for a zero day, CVE-2016-7189, in the browser’s scripting engine.