Microsoft has issued an alert, inviting to update all Windows systems: the latest patch released makes it possible to patch up a critical vulnerability. The patch thus fixes the way the operating system manages certain files to avoid remote code execution.
The flaw identified under the reference MS16-013 would allow a hacker to arbitrarily execute code by posing as the authenticated user on the open session of Windows. The flaw is all the more important with users logging into an account with administrative rights for the workstation.
The typical attack itself is particularly complex to set up: you have to push the user to open a verole log file. Once done, the attacker would have permissions to run programs, delete data, or even create other user accounts with full administrative rights.
Microsoft indicates that to date, the flaw has not been exploited in an identified manner. Another flaw specific to Windows 8.1 and Windows 10 has been fixed, allowing it to execute code by exploiting a PDF file. A third flaw concerned the memory corruption in Office allowing to recover the rights on the open session, and finally a set of vulnerabilities has also been fixed in Adobe Flash Player on Windows 8.1.