The Internet Explorer (IE) bulletin – MS15-106 – is considered critical for IE 7 through IE 11 on vulnerable Windows clients, and is rated moderate for aforementioned versions of the browser on affected Windows servers.
“The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” the bulletin said. “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.”
Wolfgang Kandek, CTO of Qualys and longtime Patch Tuesday blogger, wrote on Tuesday that MS15-110 is worthy of attention because it addresses six vulnerabilities in Microsoft Office, five of which can lead to remote code execution. The majority of these issues are in Excel.
“An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors (I get about one e-mail a week offering this type of information),” Kandek wrote.
Kandek noted that MS15-109 is equally worthy of attention as it involves vulnerabilities in Windows Shell that can be exploited via email or web browsing to enable remote code execution. The security update is rated critical by Microsoft.
Successful exploitation of the most severe vulnerabilities outlined in MS15-111 can allow an attacker to elevate privileges if they log on to an affected system and run a specially crafted application, the bulletin said, adding that the security update is for all supported versions of Windows.
According to the bulletins, none of the vulnerabilities have been publicly disclosed or are being exploited.