Two Zero Days Addressed in May Patch Tuesday

Microsoft released 16 bulletins for May Patch Tuesday today – 8 of which are critical. It’s a big month overall with more than 30 CVEs addressed in total. There are also two zero days included that demand your quick attention.

If your users still use Internet Explorer, make sure MS16-051 gets applied right away. Microsoft specifically identifies IE9 on Vista and IE11 on Windows 7 and newer as requiring this critical fix. The update for browser versions 9-11 fixes vulnerabilities in which the most severe, a remote code execution, is being exploited now. CVE-2016-0189 identifies a vulnerability in the Microsoft scripting engines, so you will also need to patch MS16-053. This vulnerability could allow a remote code execution when using the widely used JScript and VBScript engines.

MS16-064 is Microsoft’s fix for the Adobe Flash vulnerability detailed in APSB16-15. Also rated critical and under active attack, this update fixes vulnerabilities in Flash Player when it is installed on Windows 8.1, RT, 10 and Server 2012. More and more organizations are turning away from Flash because of its continued security issues but if you aren’t one of those companies, it’s time to patch Flash again.

MS16-054 is another critical fix definitely worth prioritizing because it is for Office, another heavily used application. The vulnerabilities addressed in this update could allow a remote code execution if a user opens a specially crafted files.

Also this month, there are an interesting bunch of Important-class bulletins that impact a wide range of software. Generally, it appears Microsoft has been taking a look at core components including the kernel, kernel drivers, RPC, IIS and .NET. The company continues to invest in the security of these heavily used core components before critical issues arise so don’t overlook these fixes.