If you are a regular reader of Komando.com, you should know by now that Microsoft issues a set of cumulative updates once a month. This day, which usually falls on the second Tuesday of each month, is unofficially called Patch or Update Tuesday by tech fans and savvy Windows PC users alike.
It's not exactly a big red-letter day for the tech industry but IT professionals and regular consumers mindful of computer security are always eager to know what each Patch Tuesday brings. These updates usually contain bug fixes, security patches and malware database refreshes for supported Windows operating systems and a slew of Microsoft software products.
This month's Patch Tuesday updates, released yesterday, are slightly more critical than recent months since included within the security bulletins are fixes that address five zero-day vulnerabilities.
Zero-day vulnerabilities are previously unknown software exploits that are already being used by hackers even before the software makers are made aware of them.
This is also the first monthly Patch Tuesday update that is using Microsoft's new "monthly rollup" system. This system will put all security and reliability patches in a single update rather than individual update files.
The first critical zero-day cumulative fix (MS16-118) concerns a vulnerability in Internet Explorer that could allow a hacker to execute remote code and take control of a computer via a poisoned website. This flaw could let an attacker "test for the presence of files on disk" by exploiting an information-disclosure vulnerability.
This update also fixes vulnerabilities in how IE handles objects in memory and namespace boundaries. This flaw affects IE 9 on Vista and Windows Server 2008, IE 10 on Windows Server 2010, and IE 11 on Windows 7, 8.1 and Windows Server 2008/2012 R2.
Another zero-day flaw (MS16-119) fixes vulnerabilities in Windows 10's Microsoft Edge browser that could allow an attacker to take control of a machine via a tainted website. This fix addresses how Edge handles namespace boundaries and objects in memory, restricts what information is returned to Edge, how credentials are stored in browser memory and how Edge validates documents.
More zero-day fixes
The graphics component patch addresses an exploitable flaw that could allow remote code execution via a malicious file while the Office zero-day plugs a hole where an attacker can remotely execute code via an infected RTF file.
The internet messaging patch fixes a zero-day information disclosure vulnerability in email clients like Outlook and Exchange Server on Windows 7, Vista and 8.
Other critical patches
The rest of the security bulletins are not zero-day exploits but are still important nevertheless. One is a critical flaw regarding Windows Video Control in Windows Vista, 8, and 10 that could allow an attacker to execute via a malicious file (MS16-122).
Included in the updates are also critical security patches for Adobe Flash Player on Internet Explorer and Microsoft Edge (MS16-127).
The included malware database refresh is for the Microsoft's built-in Malicious Software Removal Tool. Click here to learn how to use this tool in deep scan mode.
Speaking of Adobe, the company also released their own Patch Tuesday updates for Adobe Flash Player (APSB16-32), Adobe Acrobat and Reader (APSB16-33), and Adobe Creative Cloud Desktop Application (APSB16-34).
Aside from Windows, the Adobe Flash Player updates also patch Mac, Linux and ChromeOS versions of the player. These updates mostly fix remote code execution exploits.
For Chrome, Internet Explorer 11, and Microsoft Edge browsers, the updates should be applied automatically after a restart. For other browsers, you may need to update the Flash plugin manually. Follow our Adobe Flash Update Tool guide for download and install instructions.
The Acrobat Reader fixes Windows and Mac remote code execution vulnerabilities, as well.
Users could apply the updates by clicking Help >> Check for Updates on the software menu. To get the full Acrobat Reader installer, visit Adobe's download page.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven't changed your automatic update settings then you should be fine.
But if you want to check, here's how:
On Windows 10, click Start (Windows logo), choose "Settings," select "Update & Security," then on the "Windows Update" section, click on "Advanced Options." (Note: the "Windows Update" section is also handy for showing you updates that are currently being downloaded or applied.) Under "Advanced Options," just make sure the drop down box is set to "Automatic."
If you have an older Vista or Windows 7 system, check out our tips on how to set up and check Windows Updates.