Security Advisor

'Critical' IE Fix Highlights Microsoft's May Patch

This month's security update also includes "critical" bulletins for Windows, Office and .NET Framework.

Microsoft may be killing off its monthly Patch Tuesday in favor of non-scheduled security update rings, but the death blow has yet to come. The company released today its May security update, packed with three bulletins rated "critical" and 10 "important."

IT looking to prioritize this month's offerings should first focus on bulletin MS15-043, a cumulative security update for Internet Explorer. All supported versions of the Web browser are affected and, if gone unpatched, the most severe issue could lead to a remote-code-execution (RCE) attack.

While details are usually scarce unless enrolled in Microsoft's bulletin notification program, the company this month has broken out how it is modifying IE:

The security update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Helping to ensure that affected versions of JScript and VBScript and Internet Explorer properly implement the ASLR security feature
  • Adding additional permission validations to Internet Explorer
  • Helping to prevent information stored in a user's clipboard from being accessed by a malicious site

While none of the undisclosed number of issues are currently being exploited in the wild, it's always important to apply updates related to Web-based apps as soon as possible, according to Qualys CTO Wolfgang Kandek.

"Attackers have at their disposal a number of exploits for a diverse set of vulnerabilities to adapt to the target's machine," said Kandek in an e-mailed statement. "It is safe to say that their favorite attack vectors include Internet Explorer, native Windows vulnerabilities and Adobe Flash, which all receive monthly updates publishing upwards of 20 CVEs per month. You should be prepared to install these updates as quickly as possible."

Next item is a fix for an unknown number of issues in Windows Journal --Microsoft's note-taking application that reads and writes JNT format files. Affecting all supported versions of Windows Server and Windows OS (including the available Windows 10 previews), the fix looks to block an attacker from instigating an RCE attack through the use of a malicious Journal file.

Along with applying the update, Microsoft recommends that JNT files received from unknown sources should not be opened. Also, if Windows Journal is not used, the .jnt file type association can be blocked.

The final critical item (MS15-044) for May is a widespread font driver error that could lead to an RCE attack if a harmful TrueType font is embedded in a document or Web site. T he fix covers all supported versions of Windows OS, Windows Server, Microsoft Office, Microsoft Lync, .NET Framework, and Microsoft Silverlight. Plan to spend more time testing this update before applying due to its large reach.

The remaining security update addresses less serious problems in Windows OS, Windows Server, .NET Framework and Microsoft Silverlight. Many of the updates will require a restart before being fully applied. More information on May's patch can be found on Microsoft's Security Bulletin Summary page.

About the Author

Chris Paoli is the site producer for and


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus