Microsoft fixes critical flaws, make sure you're up to date
The software giant said the flaws could allow an attacker to remotely run malware if a user opens specially crafted media content that's hosted on a website. (File photo)
This month's bumper release of security patches has one bulletin that affects every supported version of Windows.
Microsoft said on its regularly scheduled Patch Tuesday that users on Windows Vista and later -- including Windows 10 -- should patch as soon as possible to prevent attackers from exploiting a flaw in how the operating system handles media files.
The "critical" bulletin (MS16-027) patches an issue that could allow an attacker to remotely execute code or malware as the logged-in user.
Those who are logged in as an administrator are at the greatest risk.
An attacker would have to trick a user into opening a specially-crafted media file, which would let the attacker take control of the entire system.
The good news is that Microsoft said the flaw was privately reported and is not thought to have been actively exploited in the wild by malicious actors.
Microsoft also released four other critical flaws affecting Windows, including cumulative patches to Internet Explorer (MS16-023) and its newer browser, Microsoft Edge for Windows 10 (MS16-024).
The other two bulletins include:
MS16-026 addresses a series of flaws in how Windows handles certain fonts. If an attacker either tricks a user to open a specially crafted document, or to visit a website that contains specially crafted embedded OpenType fonts, which could lead to a denial of service attack.
MS16-028 fixes a number of vulnerabilities that would allow an attacker to take control of an an affected system. The patch addresses the flaws by modifying how Windows handles PDF files.
Neither flaws are thought to have been exploited in the wild.
A number of other "important" patches -- MS16-025, and MS16-029 through MS16-035 -- fix an array of issues, such as address elevation of privileges and security feature bypasses.
March patches will be available through the usual update channels.