Microsoft has released its May patch updates and it was a rather large deployment with 16 total updates this month. The critical versus important updates were split down the middle with eight important and eight critical.
Most of the critical are remote code execution, which is a commonly the end result of exploits. The biggest difference this month from April? We didn’t see anything compared to the Badlock fiasco, but critical patches are still critical and should not be ignored.
Looking through the patch updates, security admins should pay attention to the below three this month:
MS16-056, MS16-057 and (Office) MS16-054: Reminder that administrative rights for all users are a bad idea
All of these critical vulnerabilities allow an attacker to gain access to the user’s system, but they also note that if the user does not have administrative rights, it is less impactful. Administrative rights on an end-user workstation can be a convenience for both parties, but there are a myriad of reasons it should be avoided.
These two updates drive that point home even more, exemplified from this note on MS16-056: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
MS16-054: A patch for all versions of Microsoft Office
This Office patch allows arbitrary code execution and is noted as critical. It effects all versions (2007-2016) of Microsoft Office, but the interesting note is that it also impacts the new Office for Mac version. Office for Mac used to be a mangled version of everyone’s favorite suite, but with the growth of Office365, Office for Mac has had much more adoption. With that adoption, businesses will need to ensure that the Mac Office receives all important updates as well.
MS16-064: Another Flash update
At this point, we should be wondering when Flash will just disappear. It is dying a slow death and it’s not a surprise to see yet another critical update. Many application firewalls can disable Flash and it is recommended to do this. Fortunately, many of the mainstream browsers have already disabled Flash for outdated versions.