Microsoft released eight security bulletins today as part of this month’s Patch Tuesday, including two critical updates for Windows and Internet Explorer.
The Internet Explorer bulletin addresses some two dozen vulnerabilities, that most severe of which enable an attacker to remotely execute code. Though one of the bugs – CVE-2015-1765 – has been publicly disclosed, none of the vulnerabilities are known by Microsoft to be getting exploited in the wild.
“Internet Explorer (IE) is in the top spot of our recommendations this year as it has been for the last 12 months with the occasional exception of more urgent 0-days in Microsoft and Adobe products,” blogged Qualys CTO Wolfgang Kandek. “The reason is that security researchers continue to report a large number of vulnerabilities in IE – on average over 20 per month.”
The other critical bulletin resolves a vulnerability that could be used to remotely execute if Windows Media Player opens a specially-crafted media content hosted on a malicious website. Users with fewer rights on an affected system would be less impacted than those running with administrative rights, according to Microsoft.
Though those are the only two critical bulletins, an update rated ‘Important’ impacting Microsoft Office (MS15-059) has also received attention from researchers. That should be second on organization’s list of priorities after the IE bulletin, noted Russ Ernst, director of product management at HEAT Software.
“Although rated as important, it impacts all shipping desktop versions of Microsoft Office,” he explained. “This bulletin addresses 3 vulnerabilities in Office which an attacker can use for remote code execution.”
The remaining bulletins are all rated ‘Important’, and impact Windows and Microsoft Exchange Server.
“In general, everyone will want to apply the Internet Explorer patch and Office patch on all workstations and servers as soon as possible,” said Craig Young, security researcher at Tripwire. “Exchange Administrators will also want to focus on getting MS15-064 deployed if their business makes use of Exchange web applications.”
In addition to the Microsoft bulletins, Adobe Systems today released some patches of its own. According to Adobe, none of the security vulnerabilities are known to be getting exploited. The updates impact Adobe Flash Player and AIR and address 13 security bugs.
“To fully update Flash you will need to apply multiple updates. Flash Player and AIR installed at the OS level and plug-ins for Internet Explorer (Advisory), Chrome, and Firefox,” noted Chris Goettl, product manager with Shavlik Technologies. “The updates should be rolled out as soon as possible. Google has released an update for Chrome. The only fix in this release is support for the latest Adobe Flash plug-in. Roll this out as soon as possible.”
“Mozilla Firefox has a new download available, but no bulletin information has released at this time,” he added. “There will likely be security updates coming, but the count is unknown at this time.”