Microsoft has issued its January batch of security updates – including what will be the final round of patches for many versions of Internet Explorer.
The first Patch Tuesday monthly security release of the year includes fixes for 25 CVE-listed flaws in Windows, Internet Explorer, Edge, and Office. Among the patched bugs are remote code execution vulnerabilities, elevation of privilege holes, and a spoofing vulnerability.
Microsoft did not report any active exploits targeting the security vulnerabilities addressed in this month's patch bundle.
- MS16-007 addresses six CVE-listed bugs, including a flaw in Remote Desktop Server on Windows 10 that would allow an attacker to remotely log into password-less accounts, which would normally be blocked. By default, Windows should prevent Remote Desktop access to password-less profiles, but somewhere along the line, Windows 10 started allowing access to unprotected accounts, which would have caught some IT admins with their pants down. Now Redmond has gone back to the usual default of blocking Remote Desktop to password-less users.