A little bit of good news on the patch front this month. Microsoft issued 11 updates today, 6 of which are critical, but none of the 40 unique vulnerabilities are under active attack. The software maker is using what is likely a brief reprieve to clean up old code so if you’re using Vista, Server 2008 and other dated operating systems, take this time to get them up to date and protected.
Taking top priority this month is actually an update released by Adobe. The company patched 52 vulnerabilities for Flash Player with APSB16-25 today and Microsoft made their updates with MS16-093. While this was one of the biggest updates made by Adobe this year, it thankfully does not include any active exploits. If you’re still using Flash Player regardless of OS, definitely get this update made first. There are also updates for Acrobat and Reader so if you use those tools, be sure to update those too using APSB16-26.
Getting back to Microsoft’s July bulletin release, MS16-087 fixes 2 vulnerabilities in the Windows Print Spooler which could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network. This bulletin applies to Vista, RT, Windows 7, 8.1, 10, Server 2008 and 2012, so apply it soon. MS16-086 is a critical update for JScript and VBScript in Vista and Server 2008. A successful attack could result in a remote code execution if a user visits a malicious website.
Browser updates were also not forgotten this month. As typical, a critical, cumulative update for Internet Explorer was released in MS16-084 which resolves 15 vulnerabilities, but again, none of them are currently being exploited. MS16-085 is a critical, cumulative update for Edge. This bulletin updates 13 CVEs, some of which are shared with the IE bulletin.
Overall, it is a quiet month from an attack perspective so you are best served to use this time to take a close look at all the bulletins and update your older systems.