With only six security bulletins October is a relatively light month for a Microsoft Patch Tuesday. Still, three of the six updates are rated as Critical and contain remote code execution vulnerabilities that affect a broad range of platforms and applications across the Microsoft ecosystem. I spoke with security experts from Rapid7 and Core Security to find out what you need to know about the latest security updates from Microsoft and how you should prioritize the patches and updates.
Today is the second Tuesday of October, which means that it is the 10th Microsoft Patch Tuesday of 2015. There are only six new security bulletins this month from Microsoft, and only three of them are rated as Critical by Microsoft, but the potential scope and impact of the underlying vulnerabilities has security experts stressing the importance of applying the updates sooner rather than later.
Microsoft released 6 security bulletins, resolving a total of 19 vulnerabilities. Half of the security bulletins are Critical and all of the Critical bulletins (MS15-106, MS15-108, MS15-109) are remote code execution issues affecting Internet Explorer, the Edge browser, VBScript & JScript Engines, Windows Shell, Office, Office Services and apps, as well as Microsoft Server Software. In other words, much of the Microsoft ecosystem is vulnerable to these remote code execution flaws.
“This month is dominated by remote code execution vulnerabilities enabling information disclosure if a user opens/visits specifically crafted content,” warns Adam Nowak,Rapid7 Active Lead Engineer. “The vulnerabilities affect Internet Explorer, Edge, Windows Shell and Microsoft Office. It is advisable for users and administrators to patch the affected platforms.”
Jon Rudolph, principal software engineer at Core Security, cautions, “The IE vulnerability is a remote code execution if a user can be made to visit a malicious page and the patch requires a restart. There’s also a remote code execution vulnerability in JScript and VBscript, which could allow an attack via crafted Office Document and ActiveX controls.”
Check out the full post on CSOOnline: Experts warn users to quickly apply Microsoft Patch Tuesday updates.