未加星标

IDG Contributor Network: 5 critical updates for October Patch Tuesday

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

October's change of season brings a fundamental change to how Microsoft presents and delivers updates to windows 7 and 8.x systems. As of this month, Microsoft will now follow the Windows 10 cumulative update model for all currently supported versions of Windows platforms -- including Windows 7 and 8.x systems. You can read more about this major change to Patch Tuesday on the Microsoft’s TechNet blog found here . This is a big departure from a more granular approach using individual updates and patches. Microsoft will now "roll-up” security, browser and system component (.NET) into aggregate patches.

This month Microsoft has released ten updates with five rated as critical, four rated as important and one update with a lower security rating of moderate. This release cycle includes several “Patch Now” updates for IE, Edge, Adobe Flash Player and a small component of Microsoft Office. All of these patches will require a restart.

As well as producing their usual helpful Patch Tuesday infographic , Shavlik’s blog includes a very insightful interview between Chris Goettl from Shavlik and Phil Richards, the CSO of LANDesk, on the change in Microsoft’s service model.

MS16-118 ― Critical

Given all the recent changes by Microsoft in how we will manage patches and updates in the future, we start this October Patch Tuesday with a critical update to Microsoft Internet Explorer with MS16-118 . This update to Microsoft’s now aging browser attempts to resolve 11 security vulnerabilities relating to memory corruption and scripting engine issues which at worst could lead to a remote code execution scenario. Unfortunately, at least one of these memory related security issues has been exploited and reported back to Microsoft, making this update a “Patch Now” update.

MS16-119 ― Critical

MS16-119 is fairly substantial update to Microsoft's new “evergreen” browser for Windows 10, which attempts to resolve seventeen memory, name space handling and scripting issues in Microsoft Edge. Unfortunately, like IE, this month’s October update for Microsoft Edge includes a fix for a recently detected publicly released exploit which makes this update for all supported Windows 10 platforms a “Patch Now” update as well.

MS16-120 ― Critical

MS16-120 does not pose the same level of urgency as this month’s updates to IE and Edge but it does cover a lot of territory, with updates to two core components of the Windows platform: the Win32 and GDI graphics components. Microsoft has advised that all versions of Office, Lync, Silverlight and even the .NET framework are affected by the potential for a remote code execution scenario on all supported Windows (desktop and server) platforms. This is a patch that will have a large potential impact on many layers of the application stack. It needs to be first in line for application testing and may need some time before general deployment.

MS16-122 ― Critical

MS16-122 addresses a single privately reported vulnerability in the Windows video component that, left unpatched, could lead to a remote code execution scenario. This update has a much lower risk rating and a lower exposure to potential application compatibility issues. Add this update to your standard deployment schedule.

MS16-127 ― Critical

MS16-127 addresses 12 “priority 1” security vulnerabilities in Adobe Flash Player that, left unpatched, could lead to a remote code execution scenario. Unlike previous Microsoft patch cycles, it appears that this Flash Player update is not intimately linked with a corresponding IE and Edge update. This update only affects Windows 8.x platforms and should be part of your “Patch Now” deployment effort.

MS16-121 ― Important

MS16-121 addresses a single publicly disclosed memory corruption vulnerability in the way all currently supported versions of Microsoft Office handle RTF files. Microsoft has not provided any mitigation advice or workarounds for this issue and so we are now (unusually) adding a Microsoft Office update to the “Patch Now” list even though this update has been rated as important (not critical) by Microsoft. As a warning to home users, this update may be offered to you, even if you have not installed all the components of Microsoft Office. Even if you have a small sub-component of Office or the compatibility pack (it includes file converters) installed, you will be exposed to the vulnerability in this reported security issue.

MS16-123 ― Important

MS16-123 addresses five privately reported vulnerabilities in the Windows kernel-mode component that could lead to an elevation of privilege scenario. This is a pretty hefty update that includes changes to a large number of core system files.It appears that for an attacker to successfully compromise a target system, a specially crafted executable must be run. These kinds of attacks are much more difficult these days as most systems (including modern browsers) prevent or warn against this kind of attack. Given the scope of this update, and the slightly reduced risk, stage the deployment throughout your organization.

MS16-124 ― Important

MS16-124 addresses four lesser risk issues in the Windows kernel that directly affect the Windows registry . This is (again) a large update to a number of core Windows components that affects all supported versions of Windows (desktop and server) platforms. Given the reduced exploitability and the more challenging requirements of a successful attack using the registry API, this update could benefit from some testing of IT administrator and developer tools before general deployment.

MS16-125 ― Important

MS16-125 addresses a single privately reported vulnerability in a Windows diagnostic component that could lead to an elevation of privilege security issue. This patch only applies to Windows 10 and so it will be included in your standard Windows 10 cumulative or “roll-up” of all other Windows updates.

MS16-126 ― Moderate MS16-126 address a single, privately reported, difficult-to-exploit vulnerability in the Microsoft IE messaging API sub-system. This is Microsoft’s lowest rating for a patch with a lower associated

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsOfficeWindows 7
分页:12
转载请注明
本文标题:IDG Contributor Network: 5 critical updates for October Patch Tuesday
本站链接:http://www.codesec.net/view/483062.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(41)