Monthly Archives: October 2016

October 2016 Security Updates Summary

Update: 2nd November:
Last week Adobe made available an out of band (unscheduled) security update to Adobe Flash. This was due to a zero day (defined) vulnerability being exploited in limited targeted attacks (using spear phishing (defined) emails sometimes originating from previous victims of this vulnerability).

To protect your organisation or yourself from this vulnerability please install the Adobe Flash update if you make use of Flash Player on your organisations devices or your own individual systems. This link can be used to test if Flash Player is already installed.

This vulnerability is related to an APT (defined) group’s activity that is detailed in a more recent post.

Thank you.

Original Post:
Yesterday Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s made available 10 security bulletins. These updates address 36 vulnerabilities listed within Microsoft’s security bulletin summary (excluding the Adobe bulletin). These are more formally known as CVEs (defined).

This month (so far) there are no Known Issues detailed within the above mentioned summary page. Monitoring this page before deploying the updates as well as the IT Pro Patch Tuesday blog will keep you well informed enabling you to have the best opportunity to avoid potential issues. If any issues do arise, those pages are the best first places to check for solutions.

Tuesday also saw the release of 3 security bulletins by Adobe affecting Adobe Flash Player, Adobe Acrobat/Adobe Reader and Adobe Creative Cloud Desktop.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

The Flash Player update addresses 12 priority 1 CVEs while the Adobe Acrobat/Adobe Reader security bulletin resolves 71 priority 2 CVEs. The final security bulletin published by Adobe this month fixes 1 priority 3 CVE in the Adobe Creative Cloud Desktop application.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

This month saw an unusually high number of 5 Microsoft zero day (defined) vulnerabilities being addressed. For this reason, please prioritise the deployment of the following updates: Microsoft Graphics Component, Microsoft Internet Explorer, Microsoft Edge, Microsoft Internet Messaging API and Microsoft Office.

Once these updates are deployed, please move onto Adobe’s Flash Player update (to version addressing 12 critical vulnerabilities, should be installed next if you already have a previous version installed. Due to the high number of vulnerabilities patched this month in Adobe Acrobat/Adobe Reader this should be installed next if you use their PDF creation/reader software.

The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is published each month within ComputerWorld’s Patch Tuesday Debugged column.

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.