MICROSOFT HAS ISSUED nine bulletins covering a total of 41 vulnerabilities across its software products for its August Patch Tuesday release, including two "Critical" patches addressing zero-day flaws in Internet Explorer (IE) versions IE6 to IE11 and Adobe Flash.
The Internet Explorer bulletin is rated "0" on the Exploitability Index, Microsoft's new value on the scale which means that attackers are exploiting at least one of the vulnerabilities.
The IE security update resolves one publicly disclosed and 25 privately reported vulnerabilities in Internet Explorer, making a total of 26 patched vulnerabilities.
"The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," said Microsoft in its security advisory. "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
The second priority fix for this Patch Tuesday comes from Adobe with the "Critical" update APSB14-19 for Adobe Reader. It addresses one vulnerability that is seeing limited targeted attacks in the wild.
"If we follow Microsoft's new standard for the Exploitability Index, this would deserve a 0, the most urgent rating. Adobe rates it a '1', their most critical rating at the moment," advised Qualys CTO Wolfgang Kandek. "Address as quickly as possible if you run Adobe Reader on Windows. Mac OS X users are not affected."
Adobe also released APSB14-18 for Flash as part of its monthly patch, which addresses seven vulnerabilities and includes fixes for problems that can be used to take control over the targeted machine.
"We recommend applying the update as quickly as possible, at least for anybody that does not have embedded Flash updates, for example, older Internet Explorer, Firefox and Safari users," Kandek added. "Google Chrome and Internet Explorer 10/11 users get the benefit of having Flash embedded and so get auto update functionality."
The remaining seven vulnerabilities are related to the firm's Microsoft Office, SQL server, Windows, Server and .Net framework software products. Each has an "Important" rating from Microsoft and leaves users open to a mix of remote code execution, elevation of privilege and security bypass exploits.
Microsoft released six patches for its July Patch Tuesday last month, and like this month two of those were listed as "Critical" fixes for vulnerabilities in its Windows operating system (OS) and Internet Explorer.
Revealed in a threat advisory, the patches fixed vulnerabilities that Microsoft said could be used by hackers to mount remote code execution attacks. µ