Of the eight security bulletins Microsoft released on Patch Tuesday, only two, which addressed remote code execution (RCE) flaws, were considered critical.
MS15-056 updated Internet Explorer and fixed 24 vulnerabilities by “preventing browser histories from being accessed by a malicious site,” as well as “adding additional permission validations to Internet Explorer [and] modifying how Internet Explorer handles objects in memory,” the release said, noting that “customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
And MS15-057 plugged a hole in Windows with which attackers could seize control remotely of a system if Windows Media Player “opens specially crafted media content that is hosted on a malicious website.”
Two other bulletins, MS15-059 and MS15-060, which also addressed RCE vulnerabilities, were rated important. In the former, Microsoft noted, the most severe vulnerabilities had implications for Microsoft Office 2010 and 2013, Microsoft Office Compatibility Pack Service Pack 3 and Microsoft Office 2013 RT, and could allow attackers to run an RCE “if a user opens a specially crafted Microsoft Office file.” Successful exploitation of the flaws would let those up to no good “run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” the release said.
MS15-060 takes aim at a vulnerability that existed in Microsoft Windows common controls and would allow RCE once a user clicks on a link “then invokes F12 Developer Tools in Internet Explorer.”
Chris Goettl, product manager with Shavlik, also noted in comments emailed to SCMagazine.com, that MS15-061 will also be a top priority. It is an update for Kernel-Mode Derivers and fixes 11 vulnerabilities, “including CVE-2015-2360, which has been exploited in the wild.” He noted an attacker “would have to have logon privileges to the system in question and when exploited would gain the same privileges as the user.”
And David Picotte, manager of security engineering at Rapid7, noted in comments emailed to SCMagazine.com that “an escalation of privilege could be possible in Microsoft Exchange Server (MS15-064) by means of Server-Side Request Forgery (SSRF) [CVE-2015-1764] and Cross-site Request Forgery (CSRF) [CVE-2015-1771]. He warned administrators to patch Exchange servers “ASAP.”
The remaining two bulletins, MS15-062 and MS15-063 also addressed elevation of privilege issues and were rated important.
Picotte noted that “overall,” though, the security bulletins make for a “pretty low key Patch Tuesday release,” while Goettl pointed out that Microsoft skipped issuing a MS15-058 bulletin, which he called “interesting.”
“We will have to wait and see if anything comes of this, such as an out of band or a late drop,” he said.
