Microsoft patch total for the year passes 100

Patch Tuesday delivers yet more critical fixes for critical apps

Microsoft August Patch Tuesday included five updates rated critical out of a total of nine, bringing the number of patches for the year to 103.

Despite being discontinued in favour of Edge, the Internet Explorer web browser continues to be heavily involved in Microsoft's patch action, with MS16-095 fixing several flaws that could pose major problems for its declining number of end users.

"The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," Microsoft said.

"If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The firm's newer Edge browser gets a cumulative update rated as critical that covers many of the same problems.

"The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge," the firm said.

"An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights."

Another notable critical update concerns Office, which comes with the same warning about the flaws as above.

The other two critical updates relate to Microsoft Windows PDF Library and Microsoft Graphics Component.

Security firm Qualys, which regularly comments on the Patch Tuesday releases, suggested that administrators should concentrate first on the Office and browser fixes.

"It is not too difficult to social engineer an email attachment which is targeted for users in your organisation to exploit this issue," Qualys said in a blog post.

"Nine IE issues and eight Edge vulnerabilities are addressed in these two bulletins and more than half can cause remote code execution, i.e. allow an attacker to take complete control of the victim system."

Tod Beardsley, research manager at Rapid7 Security, said that the lack of server updates could give some IT admins the month off.

"Interestingly, this month, all of the issues resolved are entirely in desktop deployments, so it looks like IT administrators who are responsible for the data centre machines get a break," he said.

"This is not to say the server operating systems are completely unaffected, of course. For example, Windows servers running Terminal Services tend to act as both desktop and server environments.

"For the majority of Windows server admins out there, however, you can roll out patches at a fairly leisurely pace."