Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical IE, Windows Bugs in Patch Tuesday Update

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

That issue is CVE-2015-1641 (MS15-033), a remote code execution vulnerability that exists due to the Office software failing to properly handle rich text format files in memory. According to Microsoft, the vulnerability is being exploited in limited, targeted attacks.

“Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user,” said David Picotte, manager of security engineering at Rapid7. “As we’re all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.”

MS15-033 is just one of four security bulletins released this month that are classified by Microsoft as ‘critical.’ The others include a massive update for Internet Explorer (MS15-032) that fixes several vulnerabilities. The most severe of the bugs allow remote code execution if a user views a specially-crafted webpage using IE.

“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” according to Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The last two critical updates are MS15-034 and MS15-035, and are both for Microsoft Windows. MS15-034 deals with a remote code execution vulnerability that exists in the HTTP protocol stack (HTTP.sys) and occurs when HTTP.sys improperly parses specially-crafted HTTP requests. An attacker could exploit the issue to execute arbitrary code in the context of the system account.

MS15-035 addresses a remote code execution bug that can be exploited if an attacker gets a user to browse to a specially-crafted website, open a malicious file or browse to a working directory containing a malicious Enhanced Metafile (EMF) image file.

“The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V,” Picotte said. “The Hyper-V bulletin (MS15-042 – CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur. Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as ‘less likely’ by Microsoft.”

Advertisement. Scroll to continue reading.

In addition to the Microsoft patches, Adobe Systems released patches today to cover 22 security holes in Flash Player for Windows, Macs and Linux. One of the vulnerabilities, CVE-2015-3043, is known to be getting targeted in the wild by attackers. Adobe also issued a fix for Cold Fusion as well. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.