March Patch Tuesday: Microsoft Releases 5 'Critical' Updates
Also included is a fix for the widespread FREAK bug.
Today's monthly security update from Microsoft arrived to fix the largest number of issues in recent memory. March's patch includes five bulletins rated "critical" and nine designated "important."
For back-to-back months, the top patching priority should be bulletin MS015-018, a cumulative update for Internet Explorer. This update, which takes care of an undisclosed number of security concerns, affects all supported versions of Windows OS, Windows Server and Internet Explorer. Microsoft warns that if gone unpatched, many of the vulnerabilities could lead to a remote-code-execution (RCE) attack. Adding to the severity of this update, one of the vulnerabilities has already been seen in the wild, so get on this one!
While you're at it, go ahead and apply bulletin MS015-019. It addresses one of the same RCE flaws from the IE fix that can affect the VBScript scripting engine for Windows Server, which affects Microsoft's older IE 6 and IE 7.
According to security expert David Picotte, manager of security engineering at Rapid7, bulletin MS015-022 should be the next item to take care of due to its widespread RCE risk across cross-platform versions of Office. "This affects all supported versions of MS Office, docx/xls viewers, SharePoint and Office Web Apps," commented Picotte. "Bundled into this bulletin is a fix for a set of cross site scripting (XSS) vulnerabilities, namely CVE-2015-1633 and CVE-2015-1636, applying these fixes will likely be the most time consuming patch for administrators as it may require a restart of critical SharePoint infrastructure systems."
The final two critical items of the month both address RCE issues in Windows. Bulletin MS15-020 targets a DLL file vulnerability that could be exploited through a Web browser in all supported versions of Windows and bulletin MS15-021 does the same, this time with the problem existing in the Adobe font driver.
Look for bulletin MS15-031 to receive more attention than typically reserved for items rated important. The security bypass fix is aimed at the FREAK bug, which has been grabbing headlines as of late. The decade-old issue could allow for evesdropping of a system by breaking the secure connection between a Web browser and a Web site. Providing more detail on the bug that affects numerous devices, including Apple- and Windows-based machines, Qualys CTO Wolfgang Kandek said that due to the damage that could be done, most tech firms have already started rolling out fixes, including this item from Microsoft.
"The vulnerability allows an attacker that has a Man-in-the-Middle (MITM) position to downgrade your computer's SSL communication to an export grade cipher (512 bit RSA), which is breakable relatively quickly (< 24 hours). Once the attacker has the key she can eavesdrop on your communication and even modify it and redirect you to impostor sites."
However, what keeps this fix in the important realm is the fact that if an attack was to succeed, an attacker would need to have complete control of both a network and force a user to visit a specific malicious Web site -- making this a highly difficult attack to pull off.
The remaining items aren't as headline grabbing and affect minor issues in Windows and Exchange. Specific details can be found on Microsoft's bulletin summary page.
Reminder: After today, Microsoft will only provide free updates for Windows Server 2003 for three more months.