Microsoft has released the August Patch Tuesday security bulletin including nine updates, five of which are rated critical. The release takes the total number of updates in 2016 to 103.
Internet Explorer is involved, as ever, and MS16-095 fixes several flaws that could pose major problems for end users.
“The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user,” Microsoft said.
“If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The firm’s newer Edge browser gets a cumulative update rated as critical that covers many of the same problems.
“The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge,” the firm said.
“An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.”
Another notable critical update concerns Office, which comes with the same warning about the flaws as above.
The other two critical updates relate to Microsoft Windows PDF Library and Microsoft Graphics Component.
Security firm Qualys, which regularly comments on the Patch Tuesday releases, suggested that administrators should concentrate first on the Office and browser fixes.
"It is not too difficult to social engineer an email attachment which is targeted for users in your organisation to exploit this issue," Qualys said in a blog post.
"Nine IE issues and eight Edge vulnerabilities are addressed in these two bulletins and more than half can cause remote code execution, i.e. allow an attacker to take complete control of the victim system."
Tod Beardsley, research manager at Rapid7 Security, said that the lack of server updates could give some IT admins the month off.
"Interestingly, this month, all of the issues resolved are entirely in desktop deployments, so it looks like IT administrators who are responsible for the data centre machines get a break," he said.
"This is not to say the server operating systems are completely unaffected, of course. For example, Windows servers running Terminal Services tend to act as both desktop and server environments.
"For the majority of Windows server admins out there, however, you can roll out patches at a fairly leisurely pace."
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere
Trusts have purchased almost 385,000 new PCs since 2013, at a cost of £260 million
The council will use funds from the project to fund network expansion