This month's update includes 14 Microsoft security bulletins (52 CVEs), with three being rated as critical. One of these vulnerabilities has already affected MS office (MS15-081) and has been detected as being exploited in the wild. As per the norm, Adobe has also released a high priority Air\Flash security patch (APSB15-19) to address 34 CVEs on multiple affected platforms (IE, Edge, Windows, Macintosh, Android and iOS).
Microsoft seems to have implemented a new strategy for Windows 10, as they are now releasing a single KB specific to the platform that addresses all applicable bulletins (in this case 6 of the 14). For administrators this allows a single patch to be installed for addressing all security issues – greatly reducing the burden of patch implementation. We see this is a very positive step forward for Microsoft and will be interested to see what, if any, additional changes the make to the patch process moving forward.
- MS15-079: resolves 13 CVEs on all supported versions (7-11) of Internet Explorer (likely to be exploited in the near future).
- MS15-080: resolves 16 CVEs in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight.
- MS15-081: resolves 8 CVEs in Microsoft Office (2007 – 2016) on both Windows and Mac and SharePoint servers (2010, 2013).
- MS15-082: resolves 2 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow remote code execution via the remote desktop protocol (RDP) functionality. This bulletin is rated “Important” as it is not believed that exploitation is occurring in the wild. CVE-2015-2472 requires a man-in-the-middle (MiTM) attack to exploit (decreasing the likelihood of a successful attack) and CVE-2015-2473 requires user interaction to exploit.
- MS15-083: resolves 1 CVE in Vista SP2 and Server 2008 SP2 systems that support SMB and requires authentication credentials (a valid session).
- MS15-084: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception). The vulnerability impacts systems supporting SSLv2 with MSXML and the “fix” is simply to use a secure communication protocol.
- MS15-085: resolves 1 CVE on all Windows platforms, exploitation in the wild has been detected however to exploit this vulnerability, an attacker would have insert a malicious USB device into a target system. The physical access requirements of this exploit make mass exploitation far less likely (remind your users to not plug in randomly found USB devices).
- MS15-086: resolves 1 CVE in System Center Operations Manager (SCOM) 2012, the cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
- MS15-087: resolves 1 CVE in Windows 2008 and Microsoft BizTalk Server (2010 -2013 R2), he cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
- MS15-088: resolves 1 CVE on all Windows platforms, exploitation of this information disclosure vulnerability has not yet been detected in the wild however exploitation in the near future is likely (requires the chaining of multiple IE vulnerabilities for exploitation).
- MS15-089: resolves 1 CVE in nearly all supported platforms (Windows 10 being the only exception) that could allow WebDAV SSLv2 sessions to be partially decrypted. Exploitation is unlikely to occur.
- MS15-090: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow an elevation of privilege due to a vulnerability in the sandboxing functionality of the Windows Object Manager or Windows Registry or Windows Filesystem.
- MS15-091: resolves 4 CVEs in Edge on Windows 10 (that's a first since RTM) that could allow remote code execution (RCE), exploitation of these vulnerabilities requires a user to visit a maliciously crafted webpage. Exploitation of this vulnerability in the near future is rated as likely.
- MS15-092: resolves 3 CVEs on all Windows platforms running .NET 4.6 (likely only Windows 10 systems at this point in time). The exploitation of elevation of privilege vulnerability in the RyuJIT compiler would grant the same permissions as the running user.
Welcome to the Windows 10 era, administrators enjoy patching yet another platform.