May continues a long-running trend with Microsoft where the majority of bulletins (10) address remote code execution (RCE) vulnerabilities; the remaining address elevation of privilege (2), information disclosure (2) and security feature bypass. All critical bulletins are remote code execution issues affecting a variety of products and platforms including Adobe Flash Player, Edge, Internet Explorer, .NET Framework, Office, Office Services and Web Apps and Windows (client and server).

Looking back at the last 12 months of security bulletins, a resounding trend emerges; the majority of these bulletins address remote code execution vulnerabilities. Microsoft is unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users. Fortunately, Microsoft actively works on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins.

This month, Microsoft resolves 33 vulnerabilities across 16 bulletins with MS16-051, MS16-052, MS16-053, MS16-055, and MS16-062 as the bulletins to watch out for, addressing 20 vulnerabilities. Users should pay particular attention to the following bulletins as they resolve X vulnerabilities that have been known to be exploited (CVE-2016-0149, CVE-2016-0189):

  • MS16-051 - Cumulative Security Update for Internet Explorer
  • MS16-053 - Cumulative Security Update for JScript and VBScript
  • MS16-065 - Security Update for .NET Framework

Users should also be wary of untrusted sources, as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration and prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins.

Resolved Vulnerability Reference: