Patch Tuesday: 'Critical' security patches for Adobe Flash and Internet Explorer

Strap yourself in for an "intense" Patch Tuesday

A series of "critical" security patches for Adobe Flash, Internet Explorer and Windows were issued overnight in May's Patch Tuesday releases.

"This one of more intense Patch Tuesdays in a while. Make sure you continue to monitor what is going on," warned Qualys chief technology officer Wolfgang Kandek.

Micorsoft alone is offering 15 fixes to make good 36 vulnerabilities, according to Craig Young, a security researcher at Tripwire.

"The patch which immediately grabbed my attention this month is MS16-061 which resolves a code execution bug within the handling of RPC requests," said Young.

He continued: "Although Microsoft rates CVE-2016-0178 as less likely to be exploited, the potential for abuse on this one is enormous. The underlying flaw affects all supported servers and desktops from Windows Vista to Windows 10 and can allow an unauthenticated attacker to gain control of unpatched systems."

Another eye-catching fix is CVE-2016-0189, according to Symantec, which affects the legacy Internet Explorer web browser and involves a nasty "remote memory-corruption vulnerability".

Internet Explorer has a global market share of about 36 per cent, according to NetMarketShare figures, second only to Google Chrome. Its replacement, Edge, still languishes on under five per cent, despite the supposed popularity of Windows 10

"Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user," adds the firm in a brief advisory. "Failed attacks will cause denial-of-service conditions. Internet Explorer 9, 10, and 11 are vulnerable."

The big issue for Adobe is yet another newly discovered critical Flash vulnerability, CVE-2016-4117. This affects Flash running on Windows, Macintosh, Linux and Chrome OS. Adobe warns that the vulnerability can cause crashes and, potentially, enable a hacker to take remote control. It believes that there is an exploit in the wild.

Adobe warned about the risk posed by the flaw earlier this week: "A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild."

This is just the tip of the patchberg, of course, and there are plenty of other patches to cover a plethora of problems.

"Microsoft has released its May updates and it was a rather large deployment with 16 total updates. The critical versus important was split down the middle with eight important and eight critical," said Michael Gray, vice president of technology at Thrive Networks.

"Most of the critical are remote code execution, which is a commonly the end result of exploits. Critical patches are still critical and we recommend deploying after your systems have been tested."

That's Microsoft. But what about Adobe Flash, which has faced widespread calls for it to be expunged due to its repeated security failings? Well Gray isn't a fan, either.

"At this point, we should be wondering when Flash will just disappear. It's dying a slow death and it's not a surprise to see yet another critical update. Many application firewalls can disable Flash and it is recommended to this," he added. "Fortunately, many of the mainstream browsers have already disabled Flash for outdated versions."

What isn't known, at this point, is whether Microsoft has slipped some new Windows 10 and/or telemetry-related updates into the mix for users of Windows Vista, 7, 8 and 8.1.