Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.
Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.
Update: Qualys QID is 124421: Adobe Flash Player and AIR Security Update (APSB16-01).
Original: Adobe issued today their last update for 2015 for its Flash player. It addresses nineteen vulnerabilities and was released out of band because one of them (CVE-2015-8651) is under attack in the wild. At this point attacks are limited to special targets. The update is numbered APSB16-01, not APSB15-33 as expected, most likely because it is basically the planned January 2016 update, anticipated due to the circumstances.
As with all 0-days fixes this one deserves special attention and a quick turnaround.
There we are: the last Patch Tuesday of 2015. It turns out to be about average, with maybe a bit more severity in the bulletins than usually. We have eight critical bulletins in the total 12, including one that fixes a 0-day vulnerability, currently in use by attackers to escalate privileges in Windows. 0-days used to be very rare occasions, but this year they have become almost mainstream. After all the year started off with a string of 0-days in Adobe Flash and since then we have seen almost every month a patch for a vulnerability that is already under attack. Definitely a sign of the increasing technical capabilities that attackers are wielding and a reminder that IT Managers should not only patch their systems promptly, but also look for additional robustness. Your list of things to look at in 2016 should include investigation of minimal software installs with the least features enabled, plus an additional piece software such as EMET that enhances robustness.
Just three days after Trend Micro had notified Adobe of a 0-day vulnerability in their Flash player, Adobe addressed the flaw with a patch. APSB15-27 provides fixes for three vulnerabilities, and one of them, CVE-2015-7645, is currently being used in attacks in the wild. You should apply the update as quickly as possible as we expect the exploit to show up in ExploitKits soon, which will greatly increase the number of attacked machines.
Patch Tuesday October 2015 turns out to be a light edition. There are only six bulletins, but all of the important products are covered. We have a critical bulletin for Internet Explorer (but not for Edge), a bulletin for Office that has Remote Code Execution (RCE) vulnerabilities, plus Windows Kernel vulnerabilities that allow for Privilege escalation. Plus an interesting issue in Windows shell that allows for RCE as well. Pretty much everybody, meaning all versions of Windows and Office, are affected except this month there are none of the additional software packages with updates (.NET, server software, etc).
A surprise patch for Adobe Flash. After not releasing a patch for Flash on Patch Tuesday 2 weeks ago, Adobe has now come out with APSB15-23 that addresses 23 vulnerabilities in Adobe Flash. There are no known exploits for the vulnerabilities so most likely this out-of-band release is due to extended testing in the QA process. As always Google Chrome, Microsoft IE 10/11/ and Edge users get their patch through the operating system update process.
Not sure why it has not been packaged with next months, but potentially disclosure deadlines were in play.