Microsoft addressed 26 vulnerabilities in 11 bulletins for its monthly Patch Tuesday release, and four of the bulletins are deemed critical.
In a Tuesday blog post, Wolfgang Kandek, CTO of Qualys, wrote that the critical Office bulletin should be the highest priority because it addresses five remote code execution vulnerabilities, including a zero-day bug.
“CVE-2015-1641 is that 0-day and is currently under limited attacks in the wild on Word 2010,” Kandek wrote. “It applies equally to Word 2007, 2012 and even to Word 2011 on the Mac. Microsoft rates it only “important” because the exploit requires the user to open a malicious file.”
Two other critical remote code execution vulnerabilities addressed in the Office bulletin are CVE-2015-1649 and CVE-2015-1651, which Kandek wrote are triggered in Office 2007 and Office 2010 by simply looking at an email in the Outlook preview pane.
Another critical bulletin addresses a vulnerability in the HTTP protocol stack – CVE-2015-1635 – that can enable remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system, according to a Tuesday release. Windows 7, Windows 8 and 8.1, Windows Server 2008 R2, and Windows Server 2012 and Windows Server 2012 R2 are affected.
“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account,” Kandek wrote, adding it is easy to execute. “The attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code.”
The critical Internet Explorer bulletin – a cumulative security update for the browser – addresses 10 vulnerabilities, nine of which are critical, and the most severe of which can enable remote code execution, the release indicates.
“All versions of Internet Explorer from IE6 on Windows 2003 to IE11 on the latest Windows 8.1 are affected,” Kandek wrote. “The attacker needs the user to open a malicious webpage. Common ways to do so are sending links through email and gaining control of a website that the user habitually browses to.”
The final critical bulletin addresses a vulnerability – CVE-2015-1645 – that can allow for remote code execution if a user browses to a specially crafted website, opens a specially crafted file, or browses to a working directory containing a specially crafted Enhanced Metafile image file, the release indicated. Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008 and Windows Server 2008 R2 are affected.
The remaining bulletins address elevation of privilege, security feature bypass, information disclosure, and denial-of-service vulnerabilities – affecting SharePoint, .NET Framework and more – that are deemed important.