Microsoft has issued patches for 16 security bulletins in its regular round of security updates for Windows, half of which are rated as critical and could lead to remote code execution.
In one, the Windows Shell does not handle objects in memory properly, a flaw that attackers could use to run arbitrary code and remotely take over systems via specially crafted websites, Microsoft said.
Windows versions 8.1, RT 8.1, 10 as well as Server 2012 R2 are affected by the CVE-2016-0179 vulnerability, which Microsoft said has not been publicly disclosed or exploited.
Other critical vulnerabilities that allow remote code execution have been found in the Windows Journal, where attackers can exploit a memory corruption bug to take control of affected systems and the operating system's graphics subsystem.
Windows Graphics Device Interface (GDI), Imaging Component and Direct3D all contain critical flaws that are remotely exploitable in all currently supported versions of Windows, Microsoft said.
Further critical vulnerabilities have been discovered in Microsoft Office 2007 Service Pack 3, Office 2010 Service Pack 2, Office 2013 Service Pack, and Office 2016. All are remotely exploitable, with attackers able to use specially crafted files and fonts to trigger the vulnerabilities.
The JScript and VBScript scripting engines in Windows Vista Service Pack 2 contain a remotely exploitable flaw, which also affects Windows Server 2008 and 2008 R2.
Likewise, the older Internet Explorer 11 web browser contains five critical vulnerabilities on Windows client operating systems.
This month's Patch Wednesday also updated Adobe Flash Player for Windows 8.1, Server 2012 and 2012 R2, RT 8.1 and Windows 10, plugging multiple remotely exploitable code execution vulnerabilities.