Microsoft's Patch Tuesday overshadowed by Adobe's 52-fix release

Adobe promises to fix a major Flash flaw being exploited in the wild by the end of the week

Microsoft's regular-as-clockwork Patch Tuesday has been overshadowed by Adobe's monster release of 52 more fixes for its Flash client software.

Indeed, Wolfgang Kandek, chief technology officer at security company Qualys, places Adobe Flash at the forefront of his monthly Patch Tuesday polemic.

"Your primary attention should be on Adobe Flash. Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch," he said.

"Adobe's APSA16-03 advisory promises the patch for the end of this week. Pay close attention to the release and address it as quickly as possible. By the way, this is the third month in a row that we see a zero-day in Flash, making it certainly the most targeted software on your organisation's endpoints."

However, Kandek warned that the Microsoft Security Bulletin for July 2016 is a record breaker thanks to impressive, or less than impressive, numbers from the company.

"Microsoft is coming out with 16 bulletins fixing over 40 vulnerabilities. It brings up the half-year total to 81 which projects to a total of over 160 for 2016, a new record in terms of patches for the past decade," Kandek said.

He continued: "The most interesting vulnerability on the server side is addressed in MS16-071 that fixes a single critical vulnerability in Microsoft's DNS server. Successful exploitation yields the attacker remote code execution on the server, which is extremely worrisome on such a mission-critical service such as a DNS server.

"Organisations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.

"On the client side the most important vulnerability is addressed in MS16-070, which fixes a number of problems in Microsoft Office."

Chris Goettl, product manager at Shavlik, also suggested that security staff and Windows PC users will be busy for the next few weeks, purely with patching.

"Even though there are no zero-day vulnerabilities, July's Patch Tuesday is far from boring. So far, we have Adobe releasing updates for Adobe Flash, Acrobat and Reader. Additionally, Microsoft is releasing 11 updates, six of which are critical," he said.

"In upcoming news, Oracle is due to have its quarterly Critical Patch Update release on 19 July. We also have the one-year anniversary of Server 2003 end of life on 14 July, and it looks like the anniversary update for Windows 10 is slated for 2 August, ­although the Insider build looks like it may have just stabilised on 1607 this week."