Connect with us

Hi, what are you looking for?



Microsoft Patches Critical Windows, Internet Explorer Vulnerabilities in Patch Tuesday Update

Microsoft issued nine security bulletins today for this month’s Patch Tuesday.

Microsoft issued nine security bulletins today for this month’s Patch Tuesday.

Three of the bulletins are rated ‘critical’ and impact Internet Explorer and Microsoft Windows. The IE bulletin (MS15-009) will be the focus for many organizations, and fixes a total of 41 vulnerabilities – one of which was disclosed publicly (CVE-2014-8967) and another of which is known to be under attack (CVE-2015-0071). Despite the large number of fixes, the bulletin does not however address the recently reported universal cross-site scripting vulnerability impacting IE.

“The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus, clearly Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967 which has been publically disclosed and CVE-2015-0071which is under limited targeted attack,” said Ross Barrett, senior manager of security engineering at Rapid7.

The critical Windows bulletins are MS15-010 and MS15-011. According to Microsoft, MS15-010 addresses one publicly-disclosed and five privately-disclosed issues. The most severe of these can be exploited if an attacker convinces a user to open a specially-crafted document or visit an untrusted website that contains embedded TrueType fonts. MS15-011 meanwhile is aimed at one privately reported issue in Windows that could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network.

“A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller,” Microsoft explained in its advisory. “To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.”

The bug, CVE-2015-0008, was discovered by JAS Global Advisors and simMachines. According to JAS, all computers and devices that are members of a corporate Active Directory may be at risk.

“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” according to a JAS advisory. “Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”

Advertisement. Scroll to continue reading.

“The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants,” said Barrett. “For MS15-010 this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable.”

The remaining bulletins are all classified as ‘Important’, and cover issues affecting Microsoft Office, Windows and Microsoft Server Software. One of these is MS15-016, which Core Security Principal Software Engineer Jon Rudolph called interesting but less urgent than the other bulletins.

“It appears that the Microsoft library that draws .tiff images might be exposing your computer’s data to attackers,” he said. “This kind of vulnerability could be used on a malicious website, and the attacker might be able to see personal information about the user that had not intended to disclose. The good news is that they probably don’t get to pick what they see, and there is not a way to take control of the user’s system directly. However, as the information on our desktops and laptops becomes more vital over time, I think we’re more sensitive to information leaks like this and Heartbleed where attackers eavesdropping for long enough periods are bound to find the keys to our kingdoms and use them to fund and build castles of their own.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.