October, 2016: Patch Monday: Hundreds of CVEs Addressed This Month

Welcome to the October Patch Monday Bulletin. This month would be a normal month with a handful of patches if it were not for the October 2016 Oracle Critical Patch Update Advisory. This quarters Oracle update addresses 253 new security fixes across the Oracle family of products. The complete list of affected products and vulnerabilities can be found here. In the chart below is a link to the Java specific security updates since we are focusing more on endpoint security. Over the years, Java has been a highly targeted application so we agree with Oracle this month and strongly recommend that you apply critical patch updates without delay. The next area of focus this month should be the endpoints in your environment running Adobe Flash Player on Windows, Mac and ChromeOS machines. Adobe has given this patch a “priority 1” rating so you should install the update as soon as possible since the vulnerability could allow an attacker to take control of the affected system. Next we recommend that you update Chrome if you don’t have it updating automatically already. Unfortunately, the complete list of details for the CVE’s affecting Chrome are not publicly released as of yet but we do know that multiple vulnerabilities are addressed in Google’s latest stable update, some of which are high risk. So please test and update as soon as you can.

Over the years we’ve had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosecteam. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

Patch data provided by:




Platform / Product Version Affected

Date Released by Vendor

Vulnerability Info

Severity / Our Recommendation

Multiple CVE’s

Adobe Flash Player

Win/Mac/ChromeOS and earlier

Win/Mac ESR and earlier

Linux and earlier


Arbitrary Code Execution and Memory Corruption

Priority 1: Update in 72 hours



Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Acrobat and Reader

Win/Mac Continuous Track

15.017.20053 and earlier



Classic Track
15.006.30201 and earlier



Desktop Track

11.0.17 and earlier




Arbitrary Code Execution

Priority 2: Install the update within 30 days


Adobe Creative Cloud Desktop Application

Win and earlier versions


Unquoted search path possibly allowing local privilege escalation

Priority 3: Update at admin’s discretion

Multiple CVE’s

Google Chrome

Before 54.0.2840.71


All details not fully released but it coves multiple vulnerabilities

Update as soon as possible


Mozilla Firefox


Ver 49 only



Ver 48 and 49


Exploitable use-after-free crash / Unauthorized data access

Update after testing

Multiple CVE’s

Oracle Java

Java SE: 6u121, 7u111, 8u102

Java SE Embedded: 8u101

October 2016 Update

Remotely exploitable without authentication

Patch after testing

Send me this chart next Patch Tuesday.
We will not share your address. Unsubscribe anytime.