For the second straight month Microsoft is holding fast to their blockade of information. Customers with “Premier” support are getting a very sparse advance notification 24 hours before the advisories drop, and “myBulletins” continues to be useless because it is not updated until well after the patch Tuesday release. Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd.
This month we are on the receiving end of nine advisories. The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus, clearly Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967 which has been publically disclosed and CVE-2015-0071 which is under limited targeted attack.
The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants. For MS15-010 this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the Critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable. The three Critical issues will undoubtedly be the patching priorities due to their public exposure and risk of exploitation.
This month's fellowship (‘cause there are nine, get it?) is rounded out by two Important issues affecting Office or components thereof, and three Important ones affecting the majority of supported Windows versions. Interestingly, MS15-013 with the single CVE-2014-6362 is only listed as Important, even though it has been publically disclosed and exploitation is considered likely – this is probably due to it being “only” a Security Feature Bypass, meaning it would have to be used in conjunction with some other attack or other information to negatively impact a system. Definitely worth patching any and all Office vulnerabilities as they are found.
The curveball this month is MS15-017, which is an Important Elevation of Privilege that applies to "Microsoft System Center Virtual Machine Manager 2012 R2” (Update Rollup 4). Hypervisor and Virtual Machine management applications are often overlooked in routine patching and can be a challenge for Administrators to locate on their network. Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state.