This month sees three patches rated Critical by Microsoft affecting Internet Explorer, Windows, the .NET Framework, Office, Lync, and Silverlight. The CVSS scores from US-CERT rate all three at 9.3, so they certainly pose a risk if left unpatched.
The first Critical patch MS15-043, resolves 22 separate vulnerabilities across InternetExplorer; only Internet Explorer 7 installed on Windows Server 2003 is not affected by this vulnerability. To address the vulnerability, the update modifies how IE handles objects in memory, ensures affected versions of Jscript, VBScript and IE to properly implement the ASLR security feature, as well as adding additional permission validations. The most severe of the vulnerabilities could allow for remote code execution if a user view a specially crafted web page.
The second Critical update from Microsoft MS15-044, address vulnerabilities in Windows, .NET Framework, Office, Lync, and Silverlight by correcting how the Windows DirectWrite library handles OpenType and TrueType fonts. Both vulnerabilities in this update could allow for remote code execution, allowing a hacker to gain the same admin rights as the current user. Those with fewer user rights could be less impacted than those who operate with admin rights.
The final Critical update MS15-045, addresses six vulnerabilities in Microsoft Windows that could allow remote code execution if a user opens a specially crafted Microsoft Journal file. Two of the vulnerabilities were publicly disclosed but, luckily, are not being actively exploited.
10 further updates
All 10 are rated as Important, addressing 18 separate vulnerabilities. There is some disparity however, as US-CERT has given a CVSS of 9.3 for three of the Important updates, meaning they should probably be Critical updates.
MS15-046, MS15-048, and MS-049 should be the next three after your Critical patches to update. The first update address vulnerabilities in Microsoft Office, and could allow for remote code execution. The other two updates here could allow for elevation of privilege and affect Microsoft Windows, .NET Framework, and Silverlight.
Interestingly, US-CERT has given MS15-051 a CVSS of 2.1, whilst Microsoft gives it an Important rating. What’s interesting is one vulnerability within this patch, allowing elevation of privilege, has been publicly disclosed, meaning hackers know about this vulnerability. At the time of writing, Microsoft has confirmed it’s aware of some limited, targeted attacks that are attempting to exploit this vulnerability.
Based on Microsoft’s rating along with US-CERT’s CVSS scores I would recommend prioritising the top six patches in the table below, and then working down the list.
As always, I’d recommend testing patches before rolling them out across your IT estate to avoid any issues or conflicts, and this month you should pay special attention to MS15-044, which may require more testing because of the variety of different products that are impacted.
Author: Rob Brown Director of Services at Verismic and Patch Management Expert
|
Update no. |
CVSS Score | Microsoft rating | Affected software |
Details |
|
MS15-043 |
9.3 | Critical | Microsoft Windows, Internet Explorer | Cumulative security update for Internet Explorer |
| MS15-044 | 9.3 | Critical | Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, Microsoft Silverlight |
Vulnerabilities in Microsoft Font Driver could allow remote code execution |
|
MS15-045 |
9.3 | Critical | Microsoft Windows | Vulnerability in Windows journal could allow remote code execution |
| MS15-046 | 9.3 | Important | Microsoft Office |
Vulnerabilities in Microsoft Office could allow remote code execution |
|
MS15-048 |
9.3 | Important | Microsoft Windows, Microsoft .NET Framework | Vulnerabilities in .NET Framework could allow elevation of privilege |
| MS15-049 | 9.3 | Important | Microsoft Silverlight |
Vulnerability in Silverlight could allow elevation of privilege |
|
MS15-047 |
8.5 | Important | Microsoft Server Software | Vulnerabilities in Microsoft SharePoint Server could allow remote code execution |
| MS15-050 | 7.2 | Important | Microsoft Windows |
Vulnerability in Service Control Manager could allow elevation of privilege |
|
MS15-055 |
5.0 | Important | Microsoft Windows | Vulnerability in Schannel could allow information disclosure |
| MS15-054 | 4.3 | Important | Microsoft Windows |
Vulnerability in Microsoft Management Console File Format could allow denial of service |
|
MS15-053 |
3.5 | Important | Microsoft Windows | Vulnerabilities in Jscript and VBScript Scripting Engines could allow security feature bypass |
| MS15-051 | 2.1 | Important | Microsoft Windows |
Vulnerabilities in Window Kernel-Mode Drivers could allow elevation of privilege |
|
MS15-052 |
2.1 | Important | Microsoft Windows |
Vulnerability in Windows Kernel could allow security feature bypass |
