Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical IE, Windows Bugs in Patch Tuesday Update

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.

That issue is CVE-2015-1641 (MS15-033), a remote code execution vulnerability that exists due to the Office software failing to properly handle rich text format files in memory. According to Microsoft, the vulnerability is being exploited in limited, targeted attacks.

“Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user,” said David Picotte, manager of security engineering at Rapid7. “As we’re all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.”

MS15-033 is just one of four security bulletins released this month that are classified by Microsoft as ‘critical.’ The others include a massive update for Internet Explorer (MS15-032) that fixes several vulnerabilities. The most severe of the bugs allow remote code execution if a user views a specially-crafted webpage using IE.

“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” according to Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

The last two critical updates are MS15-034 and MS15-035, and are both for Microsoft Windows. MS15-034 deals with a remote code execution vulnerability that exists in the HTTP protocol stack (HTTP.sys) and occurs when HTTP.sys improperly parses specially-crafted HTTP requests. An attacker could exploit the issue to execute arbitrary code in the context of the system account.

MS15-035 addresses a remote code execution bug that can be exploited if an attacker gets a user to browse to a specially-crafted website, open a malicious file or browse to a working directory containing a malicious Enhanced Metafile (EMF) image file.

“The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V,” Picotte said. “The Hyper-V bulletin (MS15-042 – CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur. Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as ‘less likely’ by Microsoft.”

Advertisement. Scroll to continue reading.

In addition to the Microsoft patches, Adobe Systems released patches today to cover 22 security holes in Flash Player for Windows, Macs and Linux. One of the vulnerabilities, CVE-2015-3043, is known to be getting targeted in the wild by attackers. Adobe also issued a fix for Cold Fusion as well. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.