Recently, Microsoft proved that they care about the good state of their products, and released 14 security bulletins patching 68 vulnerabilities existing in several programs, such as Edge, Office, Windows, SQL Server and Internet Explorer. Two of them have actually already been exploited by various attackers, while three were publicly disclosed.
One of the 14 bulletins is about the Adobe Flash Player, which receives its upgrades through the Windows Update program both in Windows 10 and 8.1 versions. Six of these bulletins were labeled as critical, while eight received the “important” tag.
It’s essential that the administrators make the Windows patches a priority in the MS16-135 bulletin, and this should be mainly because it approaches a zero-day vulnerability which has already been exploited by several attackers who go in the security industry under the name of APT28, Fancy Bear and Strontium.
This vulnerability is tracked as CVE-2016-7255 and it was publicly shown by Google last week. This happened just 10 days after the company notified Microsoft about it, which caused some conflict between the two tech giants. Usually, Google lets vendors have 7 days available in order to fix the vulnerabilities that exist or to publish some mitigation advice if the particular issues are currently being exploited in active attacks. Microsoft is not really happy with this policy Google has, and they think that the fact that Google released more details about the vulnerability increased the risk for customers’ security.
Another important bulletin released by Windows which should receive top priority is the MS16-132. This is critical and it solves several vulnerabilities existing in the remote code execution, encompassing yet another zero-day flaw that is also exploited by the attackers. This is found in the font library in Windows and attackers exploit it with the help of specially made fonts that are already embedded in documents or websites.
