MS16-036 is a critical out of band update and resolves 20 vulnerabilities in Adobe Flash Player on all supported versions of Windows Server 2012, Windows Server 2012 R2, Windows 8.1, Windows RT 8.1, and Windows 10.
This bulletin addresses vulnerabilities by updating the Adobe Flash libraries contained within all supported versions of Internet Explorer and Microsoft Edge. We recommend that this update be installed with the highest priority.
A successful attacker will exploit this vulnerability to gain Remote Code Execution giving them full access to the targeted device. The vulnerabilities can be exploited by redirecting users to malicious websites specifically set up for the purpose of attack using
Search Engine Poisoning, hacking legitimate websites and email documents, PDF, Word etc. with malicious Flash content.
This update, in my opinion, should be a business’s highest priority and therefore should be deployed with the utmost urgency. Flash exploits are increasingly becoming the vulnerability of choice, and with the wide spread use of the application, this means we are all exposed. My advice would be to uninstall Flash, Silverlight and Java browser extensions, and test to see if they are really necessary.
Microsoft published on Monday, March 7 that 14 vulnerabilities would be released in this month’s Patch Tuesday updates, but only 13 made it through. MS16-036 was held back at the last minute due to the discovery of CVE-2016-1010. The zero-day vulnerability was discovered by Anton Ivanov of Kaspersky Labs, but no additional details have been released.
In an e-mail, a Kaspersky representative wrote: “Today Adobe released the security bulletin APSB16-08, crediting Kaspersky Lab for reporting CVE-2016-1010. The vulnerability could potentially allow an attacker to take control of the affected system. Kaspersky Lab researchers observed the usage of this vulnerability in a very limited number of targeted attacks. At this time, we do not have any additional details to share on these attacks as the investigation is still ongoing. Even though these attacks are rare, we recommend that everyone get the update from the Adobe site as soon as possible.”
Additional Information
Should you have the need to install any language packs then this update will need to be reapplied, Verismic Software advises that any pending language pack installs are applied prior to installing MS16-036.
Vulnerability Information
This security bulletin addresses the following vulnerabilities which are described in Adobe Security
Bulletin APSB16-08: CVE-2015-8652, CVE-2015-8655, CVE-2015-8658, CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988, CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0993, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-1001, CVE-2016-1005, CVE-2016-1010
For further information, see Microsoft Knowledge Base
Article 3144756.