Microsoft's September Patch Tuesday addresses seven critical issues

VBScript a particular problem, reckon experts

For this month's Patch Tuesday, Microsoft has issued 14 security updates, a slightly worrying seven of which are rated critical.

The Microsoft Security Bulletin Summary for September 2016 contains fixes for Internet Explorer, Edge, Microsoft Graphics Component, Office, Exchange, OLE Automation for VBScript and Adobe Flash Player, and remote code execution is the big concern this month.

Lane Thames, a security researcher at Tripwire, warned that the VBScript fix is especially important.

"Administrators should take note regarding September's patch drop for MS16-116 and MS16-104," he said.

"MS16-116 resolves a remote code execution vulnerability in OLE Automation for VBScript Scripting Engine. The catch here is that the vulnerability, identified by CVE-2016-3375, is not fully resolved until the Internet Explorer security updates in MS16-104 are applied."

Silverlight, Windows itself and SMBv1 Server have remote code execution fixes classed as 'important', as does the Windows lock screen (dreadful) and the Windows Kernel.

Tyler Reguly, another Tripwire researcher, highlighted a vulnerability in the ASP .NET Core View Components that he believes requires immediate attention.

"They have announced a vulnerability, with no CVE assigned, in the ASP.NET Core View Components. There is not a patch for this, but steps must be taken by developers before rebuilding and redeploying new applications," he said.

"Vulnerabilities like this, that rely on changes to code and redeployment, are often overlooked because they do not get the same attention or update process as traditional vulnerabilities detailed in security bulletins."

HEAT Software senior product manager Todd Schell described September 2016 as "a big month" for Microsoft patches on account of the critical fixes, and everybody is largely agreed that MS16-104 should be applied immediately because of the knock-on effect on other patches, particularly the nasty VBScript one.

Security managers might want to exercise particular caution this month.