This month’s baseline of updates may give a false sense of security as most of Microsoft’s updates are only ranked as Important, but of the six Important updates, half of them have a CVSS of 9.3, indicating these updates are actually very severe. But with so few updates in this month’s bulletin, the challenge of prioritizing these shouldn’t be as much of an issue compared to previous months.
Whilst not specifically a Microsoft Bulletin, KB3035583 has been released in this patch update, which is a pre-requisite for the Windows 10 “self-updating” mechanism, which will enable a user to upgrade to Windows 10 for free. This, of course, poses a risk for any company that cannot control the release of this patch. Installing this particular patch by accident can lead to users downloading and installing an unsupported operating system – before the IT department gets a chance to test their builds are compatible.
Those of you with a hawk eye will have noticed there is a patch update missing – MS15-058. As we’ve seen in the past, this could be for a number of reasons such as the patch not being stable or ready for release. There’s the possibility that it could be a severe vulnerability that would require an out-of-band patch later in the month. Only time will tell as to why it’s missing. For the meantime, let’s take a look at each vulnerability in a little more detail.
There are only two Critical updates this month according to Microsoft, but as I mentioned above there are in fact a total of five bulletins that are ranked very high [9.3] by US-Cert using CVSS scoring. With that in mind, I certainly would make the first two updates of this month the first patches you install.
Similar to previous months, the first patch update is a cumulative update for Internet Explorer, fixing a total of 20 separate vulnerabilities. I’m sure it doesn’t come as a surprise that the most severe of these vulnerabilities could allow remote code execution – an attacker could take full control of a system, creating new user accounts with full admin rights. Patch MS15-056 first, ask questions later (well, once you’ve tested the patch before rolling it out).
Read the full article at itchannelexpert.com