Patch/Configuration Management, Vulnerability Management

Microsoft fixes critical IE vulnerabilities, other bugs on Patch Tuesday

Microsoft released security updates on Tuesday that address several vulnerabilities in a variety of products.

The Internet Explorer (IE) bulletin – MS15-106 – is considered critical for IE 7 through IE 11 on vulnerable Windows clients, and is rated moderate for aforementioned versions of the browser on affected Windows servers.

“The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” the bulletin said. “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.”

Wolfgang Kandek, CTO of Qualys and longtime Patch Tuesday blogger, wrote on Tuesday that MS15-110 is worthy of attention because it addresses six vulnerabilities in Microsoft Office, five of which can lead to remote code execution. The majority of these issues are in Excel.

“An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors (I get about one e-mail a week offering this type of information),” Kandek wrote.

Kandek noted that MS15-109 is equally worthy of attention as it involves vulnerabilities in Windows Shell that can be exploited via email or web browsing to enable remote code execution. The security update is rated critical by Microsoft.

Successful exploitation of the most severe vulnerabilities outlined in MS15-111 can allow an attacker to elevate privileges if they log on to an affected system and run a specially crafted application, the bulletin said, adding that the security update is for all supported versions of Windows.

Kandek explained how MS15-107 and MS15-108 are related the IE bulletin.

“MS15-107 is a new version of the new Edge browser, but there are only [two] relatively benign fixes included: an information leak, plus an update for the XSS filter,” Kandek said. “MS15-108 repackages four of the issues from MS15-106 for machines that run a separate version of JavaScript, mainly Internet Explorer 7.”

According to the bulletins, none of the vulnerabilities have been publicly disclosed or are being exploited.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.