Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Critical Windows, Internet Explorer Vulnerabilities in Patch Tuesday Update

Microsoft issued nine security bulletins today for this month’s Patch Tuesday.

Microsoft issued nine security bulletins today for this month’s Patch Tuesday.

Three of the bulletins are rated ‘critical’ and impact Internet Explorer and Microsoft Windows. The IE bulletin (MS15-009) will be the focus for many organizations, and fixes a total of 41 vulnerabilities – one of which was disclosed publicly (CVE-2014-8967) and another of which is known to be under attack (CVE-2015-0071). Despite the large number of fixes, the bulletin does not however address the recently reported universal cross-site scripting vulnerability impacting IE.

“The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus, clearly Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967 which has been publically disclosed and CVE-2015-0071which is under limited targeted attack,” said Ross Barrett, senior manager of security engineering at Rapid7.

The critical Windows bulletins are MS15-010 and MS15-011. According to Microsoft, MS15-010 addresses one publicly-disclosed and five privately-disclosed issues. The most severe of these can be exploited if an attacker convinces a user to open a specially-crafted document or visit an untrusted website that contains embedded TrueType fonts. MS15-011 meanwhile is aimed at one privately reported issue in Windows that could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network.

“A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller,” Microsoft explained in its advisory. “To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.”

The bug, CVE-2015-0008, was discovered by JAS Global Advisors and simMachines. According to JAS, all computers and devices that are members of a corporate Active Directory may be at risk.

“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” according to a JAS advisory. “Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”

“The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants,” said Barrett. “For MS15-010 this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable.”

The remaining bulletins are all classified as ‘Important’, and cover issues affecting Microsoft Office, Windows and Microsoft Server Software. One of these is MS15-016, which Core Security Principal Software Engineer Jon Rudolph called interesting but less urgent than the other bulletins.

“It appears that the Microsoft library that draws .tiff images might be exposing your computer’s data to attackers,” he said. “This kind of vulnerability could be used on a malicious website, and the attacker might be able to see personal information about the user that had not intended to disclose. The good news is that they probably don’t get to pick what they see, and there is not a way to take control of the user’s system directly. However, as the information on our desktops and laptops becomes more vital over time, I think we’re more sensitive to information leaks like this and Heartbleed where attackers eavesdropping for long enough periods are bound to find the keys to our kingdoms and use them to fund and build castles of their own.”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.