The Usual Suspects: October Patch Tuesday

Could this be Christmas come early this month?  Microsoft released a very light Patch Tuesday, quite possibly the smallest of the year so far. However, it’s still important to plan your repair strategy this month as there is far more than just Microsoft updates to worry about.

Microsoft’s release consists of 6 patch bulletins (3 critical and 3 important), which is reported to resolve a total of 33 individual vulnerabilities. The usual suspects of Windows, Internet Explorer, Office and Edge make up the usual offenders. More urgently, we have been made aware of a specific threat to Windows today with the publication of information about Dridex P2P Malware by the United States Department of Homeland Security (DHS) & the Federal Bureau of Investigation (FBI). This threat is actively targeting the banking industry by stealing bank credentials on unpatched systems.

You may imagine this kind of malware to be some sophisticated technology, however this impacts the trusted Microsoft Office suite. Dridex is capable of stealing credentials, obtain bank details, email addresses and can be infected by simply opening an attachment on an email. We highly encourage all IT Security Administrators to make sure their staff know what to do with unsolicited emails – send such emails to the trash.

Be on the lookout for the latest updates of Google and Adobe products. These guys are resolving more than 90 combined vulnerabilities almost beating Microsoft by triple this month. We recommend you pay particular attention to APSB15-24 which is an update for Adobe Acrobat and Adobe Reader which is documented as resolving a whopping 55 vulnerabilities.

All content from the following table will be added into the Syxsense subscription shortly. We will be recommending our patch management as a service (PMAAS) clients consider the following updates for their remediation cycle this month as a priority; MS15-106, MS15-108, MS15-109 and MS15-110 by combining the vendor severity, independent CVSS score and their current exposure. The most important update in this release in our opinion is MS15-106 due to the active exploits already being reported and CVSS score 9.3 which will likely impact our customers the most.

The independent CVSS scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Patch Number

Executive Summary

Vulnerability Type

Vendor Severity

CVSS Score

MS15-106

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution

Critical

9.3

MS15-108

This security update resolves vulnerabilities in the VBScript and JScript scripting engines in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the IE rendering engine to direct the user to the specially crafted website.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user and, if the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Remote Code Execution

Critical

9.3

MS15-109

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online.

Remote Code Execution

Critical

9.3

MS15-110

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution

Important

9.3

MS15-111

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

Elevation of Privilege

Important

7.2

MS15-107

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow information disclosure if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Information Disclosure

Important

4.3