This month Adobe and Microsoft have decided to issue 45 updates for their products, patching everything they can.
Adobe released 5 security advisories patching 6 vulnerabilities in Adobe DNG SDK, Brackets, Creative Cloud and ColdFusion. Zero-day vulnerability CVE-2016-4171, discovered by Kaspersky Lab, was not patched though. The vendor has promised to issue an update later this week.
We recommend users to disable Adobe Flash until the patched is available, or at least install EMET to mitigate potential exploitation risk, since this vulnerability is being actively exploited by hackers. Below is a table with brief review of patched for Adobe:
| Software | Severity | CVE/CVSS | Known exploits |
| APSA16-03: Security Advisory for Adobe Flash Player | |||
| Adobe Flash Player | Critical |
CVE-2016-4171 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] |
Exploited in the wild |
| APSB16-19: Security update available for the Adobe DNG Software Development Kit (SDK) | |||
| Adobe DNG SDK | High |
CVE-2016-4167 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] |
No |
| APSB16-20: Security update available for Adobe Brackets | |||
| Adobe Brackets | Low |
CVE-2016-4164 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] CVE-2016-4165 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
No |
| APSB16-21: Security update available for the Creative Cloud Desktop Application | |||
| Creative Cloud | High |
CVE-2016-4157 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-4158 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] |
No |
| APSB16-22: Security Update: Hotfixes available for ColdFusion | |||
| ColdFusion | Low |
CVE-2016-4159 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] |
No |
Microsoft Patched 39 vulnerabilities in 16 security bulletins, including 3 vulnerabilities in Oracle Outside In libraries, used by Microsoft Exchange server.
None of the vulnerabilities are zero-days this time. However, several of them may cause serious security issues.
The most dangerous vulnerability in our opinion is remote code execution in DNS server CVE-2016-3227. There is not publicly known exploits for this vulnerability yet, but given the wide usage of DNS services, we strongly recommend patching this vulnerability ASAP.
Please, note: vulnerability CVE-2016-3213, described in MS16-063, is not completely fixed by this patch and requires installation of MS16-077 to be fully protected from this vulnerability. The vulnerability resides within Web Proxy Auto Discovery (WPAD) protocol, which incorrectly handles NetBIOS names. This vulnerability can be exploited both locally and remotely via Internet Explorer attack vector.
Vulnerability CVE-2016-0025 in Microsoft Office (MS16-070) is extremely dangerous, because it is being exploited by leveraging built-in preview pane protection mechanism, intended to protect users from opening dangerous files.
Here is the table with brief review of released patches from Microsoft:
| Software | Severity | CVE/CVSS | Known exploits |
| MS16-063: Cumulative Security Update for Internet Explorer (3163649) | |||
| Internet Explorer | High |
CVE-2016-0199 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-0200 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3202 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3205 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3206 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3207 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3210 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3211 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3212 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] CVE-2016-3213 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L] |
No |
| MS16-068: Cumulative Security Update for Microsoft Edge (3163656) | |||
| Edge | High |
CVE-2016-3198 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] CVE-2016-3199 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3201 4.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N] CVE-2016-3202 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3203 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3214 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3215 4.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N] CVE-2016-3222 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] |
CVE-2016-3222 is publicly disclosed |
| MS16-069: Cumulative Security Update for JScript and VBScript (3163640) | |||
| JScript and VBScript | High |
CVE-2016-3205 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3206 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3207 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] |
No |
| MS16-070: Security Update for Microsoft Office (3163610) | |||
| Office | High |
CVE-2016-0025 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3233 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] CVE-2016-3234 4.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N] CVE-2016-3235 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] |
No |
| MS16-071: Security Update for Microsoft Windows DNS Server (3164065) | |||
| DNS Server | High |
CVE-2016-3227 10.0 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-072: Security Update for Group Policy (3163622) | |||
| Group Policy | Medium |
CVE-2016-3223 8.0 [CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-073: Security Update for Windows Kernel-Mode Drivers (3164028) | |||
| Kernel-Mode Drivers | Low |
CVE-2016-3218 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2016-3221 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2016-3232 3.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N] |
No |
| MS16-074: Security Update for Microsoft Graphics Component (3164036) | |||
| Microsoft GDI | Low |
CVE-2016-3216 3.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N] CVE-2016-3219 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2016-3220 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-075: Security Update for Windows SMB Server (3164038) | |||
| SMB Server | Low |
CVE-2016-3225 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] |
Publicly disclosed |
| MS16-076: Security Update for Netlogon (3167691) | |||
| Netlogon | Medium |
CVE-2016-3228 9.6 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-077: Security Update for WPAD (3165191) | |||
| WPAD | Low |
CVE-2016-3213 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2016-3236 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] |
CVE-2016-3236 is publicly disclosed |
| MS16-078: Security Update for Windows Diagnostic Hub (3165479) | |||
| Windows Diagnostics Hub | Low |
CVE-2016-3231 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-079: Security Update for Microsoft Exchange Server (3160339) | |||
| Microsoft Exchange Server | Low |
CVE-2016-0028 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] Vulnerabilities in Oracle Outside In libraries CVE-2015-6013 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2015-6014 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] CVE-2015-6015 8.8 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-080: Security Update for Microsoft Windows PDF (3164302) | |||
| Microsoft Windows PDF | High |
CVE-2016-3201 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] CVE-2016-3215 5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] CVE-2016-3203 9.6 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H] |
No |
| MS16-081: Security Update for Active Directory (3160352) | |||
| Active Directory | Low |
CVE-2016-3226 6.2 [CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H] |
No |
| MS16-082: Security Update for Microsoft Windows Search Component (3165270) | |||
| Windows Search Component | Low |
CVE-2016-3230 6.8 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H] |
No |