Patches for more than 40 flaws are covered in 16 security bulletins, six of which rated critical Credit: Microsoft Microsoft has fixed more than 40 vulnerabilities in its products Tuesday, including critical ones in Windows, Internet Explorer, Edge, and Office.The vulnerabilities are covered in 16 security bulletins, six of which are marked as critical and the rest as important. This puts the total number of Microsoft security bulletins for the past six months to more than 160, a six-month record during the past decade.Companies running Windows servers should prioritize a patch for a critical remote code execution vulnerability in the Microsoft DNS Server component, covered in the MS16-071 bulletin.Attackers can exploit this vulnerability by sending specifically crafted DNS requests to a Windows Server 2012 or a Windows Server 2012 R2 deployment configured as a DNS server. “The impact of this vulnerability is “extremely worrisome on such a mission critical service such as DNS,” Wolfgang Kandek, CTO of security vendor Qualys, said in a blog post. “Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.”The critical bulletins for Internet Explorer and Edge, namely MS16-063 and MS16-068, should also be high on the priority list because they cover remote code execution flaws that can be exploited by simply browsing to a specially crafted website. Next on the list should be the Microsoft Office security bulletin, MS16-070, because the applications in the Office suite are a common target for attackers, particularly through malicious email attachments.Kandek believes that the most important vulnerability in the Office bulletin is a remote code execution flaw tracked as CVE-2016-0025 that stems from the Microsoft Word RTF format.“Since RTF can be used to attack through Outlook’s preview pane, the flaw can be triggered with a simple e-mail without user interaction,” he said.Even though 10 security bulletins are marked as Important, companies should evaluate them in the context of their particular environments. Some of them might turn out to be urgent to some assets. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe