To thwart FREAK attacks, the tech giant plugged a security feature bypass vulnerability (CVE-2015-1637) in Schannel. The patch, MS15-031, was one of nine Microsoft bulletins ranked “important” this month, and corrected the cipher suite enforcement policies used when server keys are exchanged between servers and clients systems, the bulletin explained.
“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems,” the company said.
Critical patches in the Patch Tuesday bunch consisted of five bulletins: a cumulative security update for Internet Explorer (IE), a fix for a vulnerability in Windows' VBScript scripting engine which could allow remote code execution (RCE), and patches for bugs in Microsoft Office, Adobe Font Driver and Windows which could also allow RCE.
Wolfgang Kandek, CTO of network security and vulnerability management firm Qualys, shared his own Patch Tuesday insight on the company's blog. According to Kandek, the update that should receive the highest priority for administrators is the cumulative Internet Explorer update (for IE 6 through IE 11), MS15-018. Up second is MS15-022, which resolves bugs in Microsoft Office, he wrote Tuesday.
“MS15-022 is our next bulletin in terms of severity,” Kandek said. “It addresses five vulnerabilities in Microsoft Office, one of them critical in the RTF parser. The RTF parser can be executed automatically in the preview pane when receiving an e-mail, so Microsoft rates this vulnerability critical. But even two of the remaining vulnerabilities give the attacker Remote Code Execution, so we rank this bulletin highly in today's lineup.”
Kandek later advised security management to assess their exposure to Superfish, adware that turned out to be pre-installed on Lenovo PCs. When the security industry got wind of the news last month, experts warned that Superfish leaves users vulnerable to man-in-the-middle (MitM) attacks that break HTTPS security, potentially allowing attackers to intercept encrypted SSL connections and eavesdrop or steal data while users carry out a number of online activities.