Today Microsoft issued 13 security bulletins patching 39 vulnerabilities in total. 29 of them are in Microsoft products, 10 vulnerabilities were patched due to usage of vulnerable version Adobe Flash Player. Among patched vulnerabilities there are 2 zero-days in Microsoft Graphics Component, exploited in the wild. The vulnerabilities allow privilege escalation via Win32k driver.
Below is a table with quick summary of released patches:
| MS Security Advisory | Vulnerable products | Severity | CVE | Known exploits |
|---|---|---|---|---|
| MS16-037: Cumulative Security Update for Internet Explorer | Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 |
Critical |
CVE-2016-0154 CVE-2016-0159 CVE-2016-0160 CVE-2016-0162 CVE-2016-0164 CVE-2016-0166 |
CVE-2016-0160 - publicly disclosed |
| MS16-038: Cumulative Security Update for Microsoft Edge | Microsoft Edge | Critical |
CVE-2016-0154 CVE-2016-0155 CVE-2016-0156 CVE-2016-0157 CVE-2016-0158 CVE-2016-0161 |
No |
| MS16-039: Security Update for Microsoft Graphics Component | Windows Vista Windows Server 2008/R2 Windows 7 Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 Windows 10 Microsoft Office 2007 Microsoft Office 2010 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 3.5 Skype for Business 2016 Microsoft Lync 2013 Microsoft Lync 2010 Microsoft Live Meeting 2007 Console |
Critical | CVE-2016-0143 CVE-2016-0145 CVE-2016-0165 CVE-2016-0167 |
Exploited in the wild: CVE-2016-0165 CVE-2016-0167 |
| MS16-040:Security Update for Microsoft XML Core Services | Microsoft XML Core Services 3.0 Windows Vista Windows Server 2008/R2 Windows 7 Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 Windows 10 |
Critical | CVE-2016-0147 | No |
| MS16-041:Security Update for .NET Framework | Microsoft .NET Framework 4.6 Microsoft .NET Framework 4.6.1 Windows Vista Windows Server 2008/R2 Windows 7 |
Important | CVE-2016-0148 | Publicly disclosed |
| MS16-042:Security Update for Microsoft Office | Microsoft Office 2007 Microsoft Office 2010 Microsoft Office 2013 Microsoft Office 2013 RT Microsoft Office 2016 Microsoft Office for Mac 2011 Microsoft Office 2016 for Mac Microsoft Office Compatibility Pack Service Pack 3 Microsoft Excel Viewer Microsoft Word Viewer Microsoft SharePoint Server 2007 Microsoft SharePoint Server 2010 Microsoft SharePoint Server 2013 Microsoft Office Web Apps 2010 Microsoft Office Web Apps 2013 |
Critical | CVE-2016-0122 CVE-2016-0127 CVE-2016-0136 CVE-2016-0139 |
No |
| MS16-044:Security Update for Windows OLE | Windows Vista Windows Server 2008/R2 Windows 7 Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 |
Important | CVE-2016-0153 | No |
| MS16-045:Security Update for Windows Hyper-V | Windows 8.1 Windows Server 2012/R2 Windows 10 |
Important | CVE-2016-0088 CVE-2016-0089 CVE-2016-0090 |
No |
| MS16-046:Security Update for Secondary Logon | Windows 10 | Important | CVE-2016-0135 | Publicly disclosed |
| MS16-047: Security Update for SAM and LSAD Remote Protocols | Windows Vista Windows Server 2008/R2 Windows 7 Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 Windows 10 |
Important | CVE-2016-0128 | No |
| MS16-048:Security Update for CSRSS | Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 Windows 10 |
Important | CVE-2016-0151 | No |
| MS16-049:Security Update for HTTP.sys | Windows 10 | Important | CVE-2016-0150 | No |
| MS16-050: Security Update for Adobe Flash Player | Adobe Flash Player Windows 8.1 Windows Server 2012/R2 Windows RT 8.1 Windows 10 |
Critical | CVE-2016-1006 CVE-2016-1011 CVE-2016-1012 CVE-2016-1013 CVE-2016-1014 CVE-2016-1015 CVE-2016-1016 CVE-2016-1017 CVE-2016-1018 CVE-2016-1019 |
CVE-2016-1019 zero-day in Adobe Flash player. Exploited in the wild by at least 2 exploit packs |
