Microsoft issued 13 bulletins today in possibly one of its last official Patch Tuesday releases.
Of its fixes, three were considered “critical,” or allowing code execution without user interaction, the rest were deemed “important,” Microsoft wrote on its summary page. Multiple experts suggested focusing on MS15-043, a bulletin that patches 22 CVEs in Internet Explorer.
The most severe of the addressed vulnerabilities could allow for remote code execution if a user views a malicious webpage. Attackers could also gain the same user rights as the current user, Microsoft wrote.
Wolfgang Kandek, CTO at Qualys, wrote to SCMagazine.com that attackers could do this through blogging or forum software, through exploiting advertising providers, or through search engine poisoning.
“It is safe to say that [attackers'] favorite attack vectors include Internet Explorer, native Windows vulnerabilities and Adobe Flash, which all receive monthly updates publishing upwards of 20 CVEs per month,” he wrote.
The other two critical bulletins addressed issues in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Although critical, MS15-044 patched only two flaws: CVE-2015-1670 and CVE-2015-1671. Both pertained to font parsing vulnerabilities that could have allowed attackers to craft documents or web content with embedded TrueType fonts. This would have allowed for remote code execution.
Chris Goettl, product manager at Shavlik, wrote in prepared comments to SCMagazine.com that this patch should be taken seriously but also could require additional testing because of the variety of products affected.
Meanwhile, Kandek noted that MS15-046 was only rated as important, but still addresses RCE file format vulnerabilities in Word and Excel that could be used to gain control of users' machines. Users, who are infected through email attachments, opened about 10 percent of targeted emails.
Microsoft announced this past week that with its release of Windows 10, enterprises can keep systems updated through Windows Update for Business, which will be provided as a free service for all Windows Pro and Windows Enterprise devices.