Microsoft issued its monthly Patch Tuesday update today with nearly half of its 14 security bulletins addressing vulnerabilities in its newest operating system, Windows 10.
Two of the four “critical” vulnerabilities impact Windows, while one primarily affects the company's Office offerings. The most severely addressed vulnerability in the Office bulletin could allow Remote Code Execution (RCE) if a user opens a specially crafted Microsoft office file.
“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” Microsoft wrote. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Wolfgang Kandek, CTO at Qualys, noted in a blog post that Office vulnerabilities are rarely classified as critical. The company typically “downgrades a vulnerability when user interaction is required, such as opening a DOCX file,” he wrote. “But CVE-2015-2466 is rated critical on Office 2007 and Office 2010 indicating that the vulnerability can be triggered automatically, possibly through the Outlook email preview pane, and provide Remote Code Execution, giving the attacker control over the targeted machine.”
Critical patch MS15-079 deals with Internet Explorer vulnerabilities that could, in a worst case scenario, allow for RCE if a user views a specially crafted webpage using Internet Explorer. The attacker would gain the same user rights as the current user.
The last critical fix addresses vulnerabilities in Microsoft's new Edge browser that relate to three of the same RCE vulnerabilities in the prior bulletin.
This is the first patch cycle since Windows 10 has been released, and in May, the company said consumers would no longer receive Patch Tuesday updates. Instead, patches would be issued immediately upon becoming available.
The remaining 10 vulnerabilities were rated with “important” severity, meaning the patched bugs could, if left unfixed, compromise the “confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources,” Microsoft wrote on its “Severity Rating System” page.