The first security update of the year for Microsoft may have only included 9 security bulletins, but six of them have been marked as critical. The critical Windows security flaws include 7 bugs that permit the remote execution of code, one that allows elevation of privileges. A vulnerability affecting Microsoft Exchange Server has also been discovered and patched to prevent spoofing.

The updates include patches for 25 separate vulnerabilities. These critical Windows security flaws should be addressed as soon as possible to keep systems protected. While not all of these security flaws have been published, it is possible for a patch to be reverse engineered to allow a hacker to take advantage of the vulnerabilities in unpatched machines.

Critical Windows security flaws patched in latest Microsoft security update

Although seven critical Windows security flaws have been identified and addressed, one of the most serious is the MS16-005 security bulletin. This is one of the remote code execution vulnerabilities, but it is the one most likely to be exploited by hackers as the vulnerability has been publicly disclosed. The vulnerability affects Windows’ kernel-mode drivers and makes it possible for a hacker to trigger an Address Space Layout Randomization (ASLR) bypass. All that would be required would be to get the user to visit a malicious website.

MS16-001 is critical for users of Internet Explorer. This security flaw affects versions 8, 9 and 10 of the web browser. This will be the last security update for Internet Explorer 8 and 10, with Microsoft now having stopped providing security support. Internet Explorer 9 security updates will continue to be provided for Windows Vista and Windows Server 2008 SP2, but users of IE 8 and 10 should now upgrade to IE 13 to ensure continued support is received.

This memory corruption vulnerability affects VBScript engine and could be exploited by getting an individual to visit a malware-compromised website. This would allow an attacker to gain the same privileges as the current user. If that user had administrative privileges, and attacker would be able to gain control of the computer and install programs, or delete or modify data. The same vulnerability has been addressed for VBScript in MS16-003.

While not marked as critical, any user of Outlook Web Access (OWA) should ensure that MS16-10 is applied. This patch addresses four separate vulnerabilities that could potentially be exploited and used for a business email compromise (BEC).

While only marked as important, Outlook administrators are likely to disagree. An attacker could exploit this vulnerability to make a phishing email appear as if it had been sent from within an organization. This would make the phishing email difficult for employees to identify, and would likely result in a large number of employees compromising their computers.

Microsoft has also patched a bug in Silverlight (MS16-006), which was identified by Kaspersky Lab. The bug is particularly risky for anyone operating Microsoft Silverlight across multiple platforms. The patch plugs a runtime remote code execution vulnerability.