Microsoft has released 14 security bulletins on the September 13 Patch Tuesday, seven rated as critical. MS16-117 trickled out later in the day in response to monthly updates from Adobe.

Adobe’s Patch Tuesday security bulletins impact Adobe Digital Editions, AIR SDK & Compiler and, of course, Flash which alone tallied up 29 critical vulnerabilities. Way to go Flash.

Keep up with vulnerabilities on the vendors and products that matter most to you. Sign up for your free account at

OLE Automation and VBScript

Two security bulletins provide fixes for CVE-2016-3375, a vulnerability in the Microsoft OLE Automation mechanism and IE’s VBScript Scripting Engine that could corrupt memory in such a way as to allow attackers to execute arbitrary code. The relevant bulletins are MS16-104 and 116, and both must be installed for full protection.

MS16-104, the Internet Explorer cumulative update, also contains fixes for other vulnerabilities also involving memory corruption as well as elevation of privileges, information disclosure and security feature bypass. It affects IE versions 9-11.

MS16-116 affects all supported Windows versions.

Cumulative Microsoft Edge Update

MS16-105 patches 12 vulnerabilities affecting the Edge browser in Windows 10, the most severe of which could allow remote code execution. Memory corruption vulnerabilities (CVE-2016-3294, CVE-2016-3295, CVE-2016-3350 and CVE-2016-3377) for Windows Clients are most severe.

Microsoft Graphics Component

MS16-106 is critical for Windows 10 v1607 and important for all other supported releases. The remote code execution vulnerability (CVE-2016-3356) patched affected the handling of objects in memory by the Windows Graphic Device Interface. A successful exploit could take control of the affected system.

Microsoft Office

MS16-107 contained fixes for 13 vulnerabilities, the most severe of which (CVE-2016-3357) could allow remote code execution via the Preview Pane.

Microsoft Exchange Server

Still more remote code execution vulnerabilities patched in MS16-108. These worst flaws are present in some Oracle Outside In libraries built into the Exchange Server (2007, 2010, 2013 and 2016 releases).

As always, we recommend not chasing after the critical vulnerabilities in name only. Through modeling, automated simulations and security analytics, you can quickly identify the most severe vulnerabilities demanding immediate attention in the context of your network. Using attack simulation technology like Skybox also helps you understand how to strengthen compensating controls and better segment your network when patches are unavailable or you’re unable to implement them. You can see the Skybox® Vulnerability Control attack simulation demo here.