Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Flaws in Windows, Internet Explorer

The six security bulletins released by Microsoft for October 2015 address more than 30 vulnerabilities affecting Windows, Internet Explorer, Edge, and Office.

The six security bulletins released by Microsoft for October 2015 address more than 30 vulnerabilities affecting Windows, Internet Explorer, Edge, and Office.

One of the bulletins rated critical is MS15-106, which resolves a total of 14 vulnerabilities in Internet Explorer. The list of flaws includes memory corruption, privilege escalation, information disclosure, and VBScript and JScript ASLR bypass issues impacting Internet Explorer and the scripting engine.

The most serious of the security holes patched with this bulletin can be exploited by a remote attacker for arbitrary code execution by tricking the targeted user into viewing a specially crafted webpage via Internet Explorer.

Another bulletin that has been rated “critical” is MS15-108, which patches information disclosure, memory corruption, and ASLR bypass vulnerabilities in the VBScript and JScript scripting engines in Windows.

A bulletin that addresses remote code execution flaws in Windows has also been classified as having critical severity. The bugs are caused due to the way Windows Shell and the Microsoft Tablet Input Band handle objects in memory.

The bulletins rated “important” fix weaknesses in Edge, Office, and the Windows kernel. The flaws can be leveraged for information disclosure and remote code execution.

According to Microsoft, there is no evidence that any of these vulnerabilities have been exploited in the wild.

Advertisement. Scroll to continue reading.

“It’s official, a record has been set for the most bulletins released by Microsoft in a single year. In 2013, we saw 106 bulletins released, this month we hit 111 for 2015 and we still have two Patch Tuesdays left,” said Tyler Reguly, manager of security research at Tripwire.

“This month’s updates are pretty ho-hum, we’ve got a list of entirely typical updates. Given that this month is so light, it’ll be interesting to see what November has in store for us. That said, sys admins shouldn’t take the light month to mean they can sit back and take a break. We still have a number of vulnerabilities that should be patched, so updates should be applied following regular schedules.” Reguly told SecurityWeek

Microsoft, Google and Mozilla announced in September their intention to kill the RC4 cipher stream in their web browsers at the beginning of 2016. On Tuesday, Microsoft took further steps in this direction by disabling RC4 in the .NET Transport Layer Security (TLS) on Windows 10 systems running .NET 3.5 applications, and systems with .NET Framework 4.6 that are running .NET 4.5, 4.5.1 and 4.5.2 applications.

Adobe also released security updates on Tuesday to patch a total of nearly 70 vulnerabilities affecting Flash Player, Reader and Acrobat. Shortly after the release of the patches, news broke that malicious actors have been exploiting a Flash Player zero-day in their attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.