Security Alert (A16-01-02): Multiple Vulnerabilities in Microsoft Products (January 2016)

Description:

Microsoft has released 9 security bulletins listed below addressing multiple vulnerabilities which affect several Microsoft products or components:

MS16-001    Cumulative Security Update for Internet Explorer
MS16-002    Cumulative Security Update for Microsoft Edge
MS16-003    Cumulative Security Update for JScript and VBScript to Address Remote Code Execution
MS16-004    Security Update for Microsoft Office to Address Remote Code Execution
MS16-005    Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution
MS16-006    Security Update for Silverlight to Address Remote Code Execution
MS16-007    Security Update for Microsoft Windows to Address Remote Code Execution
MS16-008    Security Update for Windows Kernel to Address Elevation of Privilege
MS16-010    Security Update in Microsoft Exchange Server to Address Spoofing

Affected Systems:

> Microsoft Edge
> Microsoft Exchange Server 2013, 2016
> Microsoft Internet Explorer 7, 8, 9, 10, 11
> Microsoft Office 2007, 2010, 2013, 2013 RT, 2016, Office for Mac 2011, 2016
> Microsoft Office Compatibility Pack Service Pack, Excel, Word Viewer
> Microsoft SharePoint Server 2013, SharePoint Foundation 2013
> Microsoft Silverlight 5, Silverlight 5 Developer Runtime
> Microsoft Visual Basic 6.0 Runtime
> Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2
> Microsoft Windows Vista, 7, 8, 8.1, RT, RT 8.1, 10

A complete list of the affected products can be found in the section "Affected Software" in the Microsoft security bulletin summary available at:

https://technet.microsoft.com/library/security/ms16-jan

Impact:

Depending on the vulnerability exploited, a successful attack could lead to spoofing, arbitrary code execution and elevation of privilege.

Recommendation:

Patches for affected products are available from the Microsoft Update website. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

> Microsoft Update
   http://update.microsoft.com/microsoftupdate

If any problem is encountered during the patch installation via automated methods, patches for various affected systems can also be downloaded individually from the "Affected and Non-Affected Software" section of the corresponding Microsoft Security Advisory and Bulletins which can be accessed from the URL(s) listed in the "More Information" section of this Security Alert.

More Information:

https://technet.microsoft.com/en-us/library/security/ms16-jan
https://technet.microsoft.com/library/security/MS16-001
https://technet.microsoft.com/library/security/MS16-002
https://technet.microsoft.com/library/security/MS16-003
https://technet.microsoft.com/library/security/MS16-004
https://technet.microsoft.com/library/security/MS16-005
https://technet.microsoft.com/library/security/MS16-006
https://technet.microsoft.com/library/security/MS16-007
https://technet.microsoft.com/library/security/MS16-008
https://technet.microsoft.com/library/security/MS16-010
https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/
https://www.hkcert.org/my_url/en/alert/16011301 (to 16011309)
https://www.us-cert.gov/ncas/current-activity/2016/01/12/Microsoft-Releases-January-2016-Security-Bulletin
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0002 (to CVE-2016-0003)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0005 (to CVE-2016-0012)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0014 (to CVE-2016-0016)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0018 (to CVE-2016-0020)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0029 (to CVE-2016-0032)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0034 (to CVE-2016-0035)