Microsoft has released patches for nine vulnerabilities in various software packages, with five of the flaws being remotely exploitable.
Among them was a remote code execution vulnerability that affects the Windows PDF library that opens PDF files. It is embedded in some applications, among them the Edge browser.
An attacker could use this flaw to gain access to a user's machine through a specially crafted PDF. Clicking on a link to this PDF from any browser would result in Edge opening the page as it is the default PDF viewer on a Windows 10 system.
Another patch resolved a second critical flaw in Edge, with a user at risk if they were sent to a specially crafted Web page. This would enable the execution of remote code with the rights of the user in question, meaning that anyone using an administrator account was more at risk of having their systems hosed.
{loadposition sam08}A third critical flaw was in the Microsoft Graphics Component and affected Windows, Skype for Business, Office and Lync. Once again an attacker could use either a Web page or a document to trigger an attack.
Another critical flaw was patched in Microsoft Office, with the attack vector being a specially created Office document.
And the fifth critical flaw was in the old faithful, Internet Explorer, with the attack vector once again being a Web page crafted for the purpose.
The other four vulnerabilities patched were classified as Important, one of which allowed an attacker to bypass the security features of Secure Boot. To exploit this, an attacker would need to install an affected boot manager and bypass Windows security features.