Microsoft’s August 2016 security updates are out, and there’s every reason to follow our oft-repeated advice to Patch Early, Patch Often.
There are nine separate security bulletins this month, numbered from MS16-095 to MS16-103, with five of them flagged Critical – Remote Code Execution (RCE).
As you probably know, RCE means that crooks can lure you towards an innocent-looking file or web page and merely by getting you to open it, to load it or even just to look at it…
…they can take charge of your computer.
In other words, an RCE exploit can typically be used to mount a malware attack without needing to talk you into starting a download of your own, and without even popping up an “Are you sure?” window.
Although Microsoft doesn’t go into any official detail in its published bulletins, the vulnerable components that get updates this month are:
MS16-095: Cumulative Security Update for Internet Explorer
MS16-096: Cumulative Security Update for Microsoft Edge
Information is slight, but there’s mention in MS16-096 of a fix in Microsoft’s JavaScript engine.
Memory handling bugs that can be triggered directly from JavaScript are worth worrying about, because malicious JavaScript can be embedded directly into a web page, and will run automatically even if all you do is to look at the page without clicking anywhere.
MS16-097: Security Update for Microsoft Graphics Component
Microsoft isn’t saying which graphic types are involved, but the bug can be triggered in Windows itself, in Office, and in Skype for Business/Lync.
Booby-trapped graphics objects are always a worry, as they were when the Android Stagefright bug was announced, or Apple’s recent patch to its own ImageIO library in iOS and OS X.
That’s because there are so many unexceptionable ways that a crook can put graphical content in front of you.
MS16-099: Security Update for Microsoft Office
This bug could allow a booby-trapped document to hack you as soon as you open it, even if you don’t go on to do anything risky such as enabling macros, clicking a link or extracting an embedded file.
Advice such as “don’t open documents from people you don’t know” can help, but if your job involves handling correspondence from new customers, for example, you don’t really have much choice: it’s hard to tell whether a document is worth opening without opening it first.
MS16-102: Security Update for Microsoft Windows PDF Library
This bug has the same sort of risk profile as MS16-099: if a potential new customer sends a request for a quote in a PDF file, you’re on the horns of a dilemma.
Do you reject it because this is your first email from them? (If so, you aren’t likely to grow your business much.)
Or do you open it because PDFs are widely used, and a perfectly normal part of business correspondence these days? (If so, you’re accepting a small but definite risk.)
What to do?
This month’s Microsoft security holes give the crooks a wide choice of ways to put booby-trapped content right in front of you, including using web pages, Office documents, PDFs and an unknown range of image files.
Fortunately, however (as far as we know), none of this month’s vulnerabilities is a zero-day.
That’s the name given to a security bug when the crooks figure out how to exploit it before an update comes out, thus giving zero days during which even a well-informed sysadmin could have been patched in advance.
In this case, therefore, you can get ahead of the crooks with one simple step: Patch Now.
So that’s what we’re suggesting!