Microsoft's monthly Patch Tuesday came a little earlier this month and they dropped five critical patches for a number of Windows vulnerabilities yesterday.
The biggest security fix is for a flaw in Windows 10's new Edge Browser, which would have allowed remote code execution attacks.
The security bug affects how Edge renders PDF pages automatically by default, which is not the case for other browsers. This means an attacker could embed a maliciously crafted PDF document on a website and Edge will run the exploit automatically, potentially compromising full control of a machine (MS16-102).
Although no attacks exploiting this flaw have been reported yet, it is certainly a potent way for attackers to infect millions of machines. As with all these security updates, catching these flaws before attackers could utilize them is critical for the safety of users around the world.
Attackers will now start looking for Edge's PDF flaws as entry points for malicious code since PDF is a widely used document platform. As a temporary workaround, Microsoft suggests that users remove Edge from the default PDF reader file associations.
We have an even better suggestion, don't use Microsoft Edge as your browser until they sort this PDF bug out completely. As we mentioned earlier, other browsers like Chrome or Firefox do not render PDF content by default.
The Microsoft Edge browser is only available on Windows 10 systems so this patch doesn't apply to Windows 8.1 and earlier.
More Critical Updates
Critical updates in yesterday's Patch Tuesday batch include the usual cumulative security patches for all supported Internet Explorer versions that fixes flaws leading to more remote code execution (MS16-095).
Another critical update patches vulnerabilities in the Microsoft Graphics Component that is used in Microsoft Office, Windows, Lync, and Skype for Business (MS16-097). The update is said to fix flaws in how the Windows font library executes embedded fonts, which would have allowed remote code execution by merely visiting a poisoned website or opening a malicious document.
The last critical patch is for resolving flaws in Microsoft Office. The flaws could be exploited for memory corruption that could then lead to more remote code execution (MS16-099). This patch applies all the way back to Office 2007 and extends to Office 2016 for both Windows and Mac OS X.
So please make it a habit to check and apply Microsoft's monthly security updates to be a step ahead of possible attacks.
To read more about this month's Microsoft Security patches, check out their Security Bulletin Summary for August 2016.
Applying the Windows Updates
If you are not certain if your Windows machine is getting the necessary updates, don't worry, we have you covered.
Most Windows machines are set to download and install updates automatically by default. If you haven't changed your automatic update settings then you should be fine.
But if you want to check, here's how.
On Windows 10, click Start (Windows logo), choose "Settings," select "Update & Security," then on the "Windows Update" section, click on "Advanced Options." (Note: the "Windows Update" section is also handy for showing you updates that are currently being downloaded or applied.) Under "Advanced Options," just make sure the drop down box is set to "Automatic."
If you have an older Vista or Windows 7 system, check out our tips on how to set up and check Windows Updates.