Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Releases Critical Security Updates for Internet Explorer, Windows

Microsoft released eight security bulletins today as part of this month’s Patch Tuesday, including two critical updates for Windows and Internet Explorer.

Microsoft released eight security bulletins today as part of this month’s Patch Tuesday, including two critical updates for Windows and Internet Explorer.

The Internet Explorer bulletin addresses some two dozen vulnerabilities, that most severe of which enable an attacker to remotely execute code. Though one of the bugs – CVE-2015-1765 – has been publicly disclosed, none of the vulnerabilities are known by Microsoft to be getting exploited in the wild.

“Internet Explorer (IE) is in the top spot of our recommendations this year as it has been for the last 12 months with the occasional exception of more urgent 0-days in Microsoft and Adobe products,” blogged Qualys CTO Wolfgang Kandek. “The reason is that security researchers continue to report a large number of vulnerabilities in IE – on average over 20 per month.”

The other critical bulletin resolves a vulnerability that could be used to remotely execute if Windows Media Player opens a specially-crafted media content hosted on a malicious website. Users with fewer rights on an affected system would be less impacted than those running with administrative rights, according to Microsoft.

Though those are the only two critical bulletins, an update rated ‘Important’ impacting Microsoft Office (MS15-059) has also received attention from researchers. That should be second on organization’s list of priorities after the IE bulletin, noted Russ Ernst, director of product management at HEAT Software.

“Although rated as important, it impacts all shipping desktop versions of Microsoft Office,” he explained. “This bulletin addresses 3 vulnerabilities in Office which an attacker can use for remote code execution.”

The remaining bulletins are all rated ‘Important’, and impact Windows and Microsoft Exchange Server.

“In general, everyone will want to apply the Internet Explorer patch and Office patch on all workstations and servers as soon as possible,” said Craig Young, security researcher at Tripwire. “Exchange Administrators will also want to focus on getting MS15-064 deployed if their business makes use of Exchange web applications.”

In addition to the Microsoft bulletins, Adobe Systems today released some patches of its own. According to Adobe, none of the security vulnerabilities are known to be getting exploited. The updates impact Adobe Flash Player and AIR and address 13 security bugs.

“To fully update Flash you will need to apply multiple updates. Flash Player and AIR installed at the OS level and plug-ins for Internet Explorer (Advisory), Chrome, and Firefox,” noted Chris Goettl, product manager with Shavlik Technologies. “The updates should be rolled out as soon as possible. Google has released an update for Chrome. The only fix in this release is support for the latest Adobe Flash plug-in. Roll this out as soon as possible.”

“Mozilla Firefox has a new download available, but no bulletin information has released at this time,” he added. “There will likely be security updates coming, but the count is unknown at this time.” 

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.