Connect with us

Hi, what are you looking for?



Microsoft Patches Critical IE, Windows Bugs in Patch Tuesday Update

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

That issue is CVE-2015-1641 (MS15-033), a remote code execution vulnerability that exists due to the Office software failing to properly handle rich text format files in memory. According to Microsoft, the vulnerability is being exploited in limited, targeted attacks.

“Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user,” said David Picotte, manager of security engineering at Rapid7. “As we’re all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.”

MS15-033 is just one of four security bulletins released this month that are classified by Microsoft as ‘critical.’ The others include a massive update for Internet Explorer (MS15-032) that fixes several vulnerabilities. The most severe of the bugs allow remote code execution if a user views a specially-crafted webpage using IE.

“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” according to Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The last two critical updates are MS15-034 and MS15-035, and are both for Microsoft Windows. MS15-034 deals with a remote code execution vulnerability that exists in the HTTP protocol stack (HTTP.sys) and occurs when HTTP.sys improperly parses specially-crafted HTTP requests. An attacker could exploit the issue to execute arbitrary code in the context of the system account.

MS15-035 addresses a remote code execution bug that can be exploited if an attacker gets a user to browse to a specially-crafted website, open a malicious file or browse to a working directory containing a malicious Enhanced Metafile (EMF) image file.

Advertisement. Scroll to continue reading.

“The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V,” Picotte said. “The Hyper-V bulletin (MS15-042 – CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur. Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as ‘less likely’ by Microsoft.”

In addition to the Microsoft patches, Adobe Systems released patches today to cover 22 security holes in Flash Player for Windows, Macs and Linux. One of the vulnerabilities, CVE-2015-3043, is known to be getting targeted in the wild by attackers. Adobe also issued a fix for Cold Fusion as well. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.