Microsoft addressed a number of vulnerabilities in a variety of products on Tuesday – several of the bugs can enable remote code execution and have been deemed critical, and a couple of the flaws are being exploited in the wild.
Wolfgang Kandek, CTO of Qualys and longtime Patch Tuesday blogger, wrote on Tuesday that the highest priority bulletin is MS15-097, which includes fixes for critical bugs in Windows Vista, Windows Server 2008, Microsoft Office 2007 and 2010, and Lync 2007, 2010, and 2013.
“The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,” the security bulletin said.
As Kandek noted in his post, one of the bugs in this bulletin – CVE-2015-2546, a Win32k memory corruption elevation of privilege vulnerability in all versions of Windows that Microsoft deemed important – is being exploited in the wild.
Another flaw being exploited in the wild is CVE-2015-2545, a Microsoft Office malformed EPS file vulnerability in all Windows versions of Microsoft Office. The critical bug can allow remote code execution and is addressed in bulletin MS15-099, which includes fixes for other Microsoft Office flaws that are considered important.
Kandek wrote that security bulletin MS15-094 should be priority number two because it addresses 17 vulnerabilities in Internet Explorer (IE), 14 of which are deemed critical. With the recent release of Windows 10, Microsoft is also now addressing vulnerabilities in its new Edge browser.
“Looking at the four Edge vulnerabilities patched in August and the four memory corruption bugs addressed today, it is apparent that Edge and IE are at least sharing some libraries, if not more substantial components of the web rendering engine,” Tyler Reguly, manager of security researcher for Tripwire, said in comments emailed to SCMagazine.com.
Bulletin MS15-098 addresses vulnerabilities in Microsoft Windows – the majority of which are deemed critical – that could enable remote code execution if the user opens a specially crafted Journal file.
“On the server side MS15-103 addresses three vulnerabilities in Exchange server (all in Outlook Web Access) and MS15-096 a [denial-of-service] condition in Active Directory,” Kandek wrote, going on to add, “MS15-100, MS15-101, MS15-102 address vulnerabilities in Windows Media Center, .NET and Windows Task Manager and are all rated important, meaning they can only be abused if the attacker is already on the machine.”
In comments emailed to SCMagazine.com, Chris Goettl, product manager with Shavlik, noted that MS15-100 contains a fix for CVE-2015-2509 and MS15-101 contains a fix for CVE-2015-2504, both of which have been publicly disclosed.
FireEye has additional information on CVE-2015-2545 and CVE-2015-2546, the two vulnerabilities being actively exploited.