KB3097617 and KB3099406 Windows Update fixes security issues in Windows 10
Microsoft has released a couple of Windows Updates on Patch Tuesday, for October 2015.
The updates are KB3097617 and KB3099406.
Microsoft didn’t provide a change log for the updates, as usual. So we have gathered some information from the respective knowledgebase articles.
First let’s take a look at what the latter fixes.
KB3099406 includes patches for security vulnerabilities in the built in Adobe Flash Player for the browsers, Internet Explorer and Microsoft Edge. According to the security advisory issued by Microsoft, the vulnerabilities had the potential to infect a user’s PCs in a scenario which involved a malicious website. An attacker would have to “convince” the user by sending them a message in an IM or via email, with a link for the said malicious website, clicking on which would trigger the attack. So, this is in no way the remote code execution attacks, like we normally see, and instead uses the old phishing email trick to scam the unaware user. This issue found in Adobe Flash Player, should no longer affect users who install the update.
Microsoft is actually quite late to patch Adobe Flash, as the plugin maker rolled out security fixes, quite a while back, which also prompted Google to update its Chrome web browser’s to patch the app’s built in Pepper Flash Player, with the fixes.
KB3097617, on the other hand, is a cumulative Windows Update, and hence contains multiple fixes. Let’s see what loopholes it fixes.
One of the fixes is for a vulnerability, which could have allowed the attacker to get the priviliges of the user logged in (guest user/admin), and runs a specially made malicious app. It has been fixed in the KB3096447 update.
A vulnerability which could allow an attacker to remotely execute a maliciou code, when the user runs a crafted malicious toolbar in Windows. This issue has been patched in the update KB3096443.
Microsoft Edge, and Internet Explorer were both found to be vulnerable to remote code execution, in the event that a user views a specially crafted webpage in the corresponding web browser. KB3096448 and KB3096441 plugged in security holes in edge and IE respectively. The cumulative Windows Update KB3097617, also includes one last fix, which we mention below.
KB3097966 mentions that D-Link Corporation, the makers of network products (routers, hubs, etc) inadvertently published the digital certificates for devices, which resulted in the possibility of spoofing incidents. (faking the IP address). This issue has been patched by
Oh, and yes, since these are security related Windows Updates, you will need to reboot the computer, from the Settings App (Update and Security).