Security Advisor
'Critical' Internet Explorer RCE Flaw Fix Highlights October's Patch Tuesday
Microsoft released a small patch featuring six bulletins.
While Microsoft has discussed that the end of the company's traditional monthly security update release is on the horizon, this month it's business as usual.
Today the company released its somewhat small October security patch, which includes three bulletin items rated "critical" and three rated "important."
The month's standout is a cumulative security update for Internet Explorer (bulletin MS15-106), which affects all versions of Windows and Internet Explorer, and looks to squash 14 flaws in Microsoft's Web browser. While none of the holes are currently being actively exploited, this bulletin should be the top patching priority for IT due to how relatively quickly attacks can be created now that the word is out.
The most severe flaws deal with memory corruption issues and, if a user visits a malicious Web site which takes advantage of them, a compromised system could be hijacked. That's not the only action attackers could take. Per Microsoft: "The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content."
While Microsoft's Edge browser is not included in this bulletin item, it is getting its own cumulative update in bulletin MS15-107. However, this item isn't as dire as the IE patch (it's rated important), and only addresses two minor holes that could lead to information disclosure attacks in Windows 10.
Bulletin MS15-108 should be the next critical fix to be applied, and has roots with this month's IE cumulative update. This item includes many of the same vulnerability solutions as the earlier item addressed, this time in the VBScript and JScript scripting engines. While the flaws are the same, the scope is a bit smaller, with only Windows Vista and Windows Server 2008 being affected.
This month's final critical item (bulletin MS15-109) looks to fix multiple issues in all supported versions of Windows OS and Server that could lead to a RCE attack if a specially crafted Web site or e-mail was opened by a user. The issues lie in the Windows Shell and could be exploited if it improperly handles objects in memory. While the flaws could lead to some serious consequences for users, Microsoft has indicated that attacks have yet to be seen in the wild.
The remaining two important items for the month deal with RCE flaws in Microsoft Office and elevation of privilege issues in the Windows Kernel.
For those keeping score, despite the smaller-than-usual number of bulletins for the month, 2015 has already been a busier year than 2014 when it comes to security bulletins. To date we have had 111 bulletin releases, while last year saw only 63 releases for the first 10 months of 2014.
More information on this month's patch can be found here.