Microsoft yesterday released 10 security updates for Edge, Internet Explorer, Windows, Office and Secure Boot that fix 49 vulnerabilities including 2 zero-day leaks. The patches are part of Microsoft's monthly Patch Tuesday.
The updates for Internet Explorer and Edge are rated critical and they patch 15 and 13 vulnerabilities respectively. Both updates include fixes for vulnerabilities that allow an attacker to exploit an user through malicious content without user interaction. Visiting a malicious website or viewing a malicious advertisements is sufficient to become a victim of such an attack. Some vulnerabilities allow an attacker to take full control over the system if the victim is a full admin. This allows an attacker to gain full control over the target system.
Also patches for Office were part of this month's Patch Tuesday, Microsoft fixed 7 vulnerabilities in this software. Some of these vulnerabilities could allow Remote Code Execution if a user opens a malicious office document. An attack could come in the form of an email attachment or through hosted web content.
A zero-day vulnerability was fixed for Secure Boot. This feature is found in the BIOS and should make sure only properly certified software can be loaded during the system's boot sequence. Because of a vulnerability it was possible to bypass this security measure. To do so, an attacker needs administrator access or physical access to the system to install a policy that allows to bypass Secure Boot.
Another zero-day was patched for Windows that allowed an attacker to get information about certain processes running on the system.
Microsoft also released an update for the embedded Flash Player in Internet Explorer 10 and 11 on Windows 8(.1) and Internet Explorer 11 and Edge on Windows 10.
On most systems the updates are automatically installed.
