Both Windows 10's Edge browser and Internet Explorer (IE) need to be updated now to resolve security vulnerabilities that could allow hackers the ability to remotely take over computer systems, Microsoft has warned in its latest Patch Tuesday release. Both updates, listed as critical by the advisory, allow a form of 'remote code execution' (RCE).
In the official security bulletin, the Microsoft Edge security update (MS16-011) is said to require an urgent install on all versions of Windows 10 in order to fix a range of issues, from spoofing flaws to full memory corruption. "An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge, and then convince a user to view the website," Microsoft has warned.
"An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft does note that in all cases, an attacker would have no way to force users to view the hacker-controlled content, and instead would have to deploy techniques such as email spam or social engineering to make the flaw viable. The update affecting Internet Explorer (MS16-009) also leaves unpatched computer systems open to the same form of remote tampering and is now needed for all users of IE9, 10 and 11 on Windows.
Other critical updates
In total, Microsoft has released 13 security bulletins to fix 42 vulnerabilities across the board so far this month. Notable updates include MS16-015 that solves security flaws in Microsoft Office which allow hackers to attack unwitting users with a 'specially crafted' Office file or document. Additionally, MS16-022 patches a slew of exploitable security gaps in Adobe Flash right through from Windows 8 to Windows 10 operating systems. In short, update all Windows software as soon as possible to say safe online.
"Since a wide range of products are affected this month, almost all Microsoft users should be on alert. Fortunately, at this time, no vulnerabilities are known to have been exploited," said Adam Nowak, lead engineer at security firm Rapid7. "Users should be wary of untrusted sources as maliciously crafted content could allow an attacked to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible."