September continues a long running trend with Microsoft's products where the majority of bulletins (10) address remote code execution (RCE) followed by elevation of privilege (2) and information disclosure (2). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.

This month Microsoft resolves 94 vulnerabilities across 14 bulletins. For consumers MS16-104, MS16-105, MS16-106, MS16-107, MS16-115 and MS16-117 are the bulletins to watch out for, addressing 60 vulnerabilities. For server users MS16-108 is the bulletins to watch out for, addressing 21 vulnerabilities. As pointed out by todb, Senior Research Manager at Rapid7, “This update is of particular interest because it patches eleven remote code execution bugs in Oracle Outside In, a rather massive file format parsing library that ships with Exchange and is responsible for parsing a wide variety of file types…  it looks like the Exchange server itself can be compromised merely by e-mailing the target organization a maliciously crafted file.” Unfortunately, at this time one vulnerability addressed by MS16-104 (CVE-2016-3551) is known to have been exploited in the wild.

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-104 MS16-105 MS16-106 MS16-107 MS16-108 MS16-116 MS16-117).