Microsoft's November Patch Tuesday security bulletin lists 12 notifications, four of which are critical updates being issued for Internet Explorer, Edge and two other applications all repair a vulnerability that would allow remote code execution.
Microsoft said bulletin MS15-112 is considered critical for IE versions 7-11 for clients and is a moderate update for the same software being used on Windows servers.
“An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” the bulletin stated.
Wolfgang Kandek, CTO for Qualys, who covers Patch Tuesday in the Qualys' The Laws of Vulnerabilities, recommended that users quickly fix MS15-112.
“The attack vector is through a malicious webpage, a very common one. Cybercriminals set these up by exploiting vulnerabilities in otherwise innocent webpages, gaining control over the content of the pages and then including invisible links to their attack pages that are driven by commercial exploit kits,” Kandek wrote.
The update for Microsoft Edge, MS15-113, modifies how the browser handles objects in memory making sure Edge properly implements the address space layout randomization security feature.
The next critical issue addressed resides in Windows Journal, a note taking application. The fix, bulletin MS15-114 , is considered critical for Windows Vista and Windows 7 “and addresses the vulnerability by modifying how Windows Journal parses Journal files,” the report stated.
The final critical patch, bulletin MS15-115 , is for all supported versions of Windows. It addresses vulnerabilities in how Windows handles objects in memory, how the Adobe Type Manager Library in Windows handles embedded fonts and how Windows Kernel validates certain permissions.
The remaining eight updates are all rated important and if left unpatched could allow remote code execution, elevation of privileges, denial of services or disclose information by an intruder.
Craig Young, security researcher with Tripwire called out one of these updates, MS15-121 as particularly important even though it was not rated critical.
“Systems administrators using client based certificate authentication should treat this update as high priority for both clients and servers because the described attack can allow a malicious server to inject data into the beginning of a session and potentially interact with a site in defiance of the same-origin policy,” Young said in an email to SCMagazine.com on Tuesday.