New Adobe Flash zero-day overshadows another bumper Microsoft Patch Tuesday

Adobe promises fix for yet another critical Flash security flaw announced as Microsoft releases Patch Tuesday

Microsoft's latest Patch Tuesday batch of Windows security fixes has been overshadowed by yet another Adobe Flash zero-day. Adobe has promised to rush out a fix for the vulnerability on Thursday.

In a security advisory, Adobe warned that a successful exploitation of the flaw, CVE-2016-4171, could enable an attacker to take control of a targeted system - and warned that an exploit has already been uncovered in the wild. Not surprisingly, Adobe classified the flaw as "critical".

Microsoft, meanwhile, has released 16 fixes for core products, including five rated critical, in its latest Patch Tuesday.

Internet Explorer is involved with a fix for a flaw, tagged MS16-063, that could allow remote code execution if a user visits a specially crafted web page designed to exploit the vulnerability. A hacker could gain the same rights as the user, including taking control of the system, viewing, changing or deleting data and creating new accounts with full user rights, Microsoft warned.

The flaw is rated critical for IE 9 and 11 on affected Windows clients, but only moderate for IE 9, 10 and 11 on affected Windows servers.

Microsoft's Edge browser also has a critical fix for an almost identical problem.

Qualys CTO Wolfgang Kandek said in a blog post that companies should apply the browser fixes as soon as possible. "These vulnerabilities represent a favourite attack vector for cyber criminals, and we recommend addressing them in the next seven days," he said.

However, Kandek added that the most important fix is MS16-071, which affects the Microsoft Windows DNS Server.

"This security update resolves a vulnerability in Microsoft Windows that could allow remote code execution if an attacker sends specially crafted requests to a DNS server," said Microsoft.

Kandek warned that firms must act quickly to apply this patch. "Successful exploitation yields the attacker remote code execution on the server, which is extremely worrisome on such a mission-critical service as DNS," he said.

"Organisations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability."

The other notable critical fix is for Office, and again could allow remote code execution if a user opens a specially crafted Microsoft Office file.

"An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user," said Microsoft.

The other 11 fixes are rated as important and cover several services, and again the advice is to act quickly on those that have a direct impact.

The current rate of patches being issued by Microsoft puts the firm on track for a record year. Kandek noted that the June release brings the half-year total to 81, suggesting a possible 160 by the end of the year.