Security Advisor

'Critical' Internet Explorer RCE Flaw Fix Highlights October's Patch Tuesday

Microsoft released a small patch featuring six bulletins.

While Microsoft has discussed that the end of the company's traditional monthly security update release is on the horizon, this month it's business as usual.

Today the company released its somewhat small October security patch, which includes three bulletin items rated "critical" and three rated "important."

The month's standout is a cumulative security update for Internet Explorer (bulletin MS15-106), which affects all versions of Windows and Internet Explorer, and looks to squash 14 flaws in Microsoft's Web browser. While none of the holes are currently being actively exploited, this bulletin should be the top patching priority for IT due to how relatively quickly attacks can be created now that the word is out.

The most severe flaws deal with memory corruption issues and, if a user visits a malicious Web site which takes advantage of them, a compromised system could be hijacked. That's not the only action attackers could take. Per Microsoft: "The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content."

While Microsoft's Edge browser is not included in this bulletin item, it is getting its own cumulative update in bulletin MS15-107. However, this item isn't as dire as the IE patch (it's rated important), and only addresses two minor holes that could lead to information disclosure attacks in Windows 10.

Bulletin MS15-108 should be the next critical fix to be applied, and has roots with this month's IE cumulative update. This item includes many of the same vulnerability solutions as the earlier item addressed, this time in the VBScript and JScript scripting engines. While the flaws are the same, the scope is a bit smaller, with only Windows Vista and Windows Server 2008 being affected.

This month's final critical item (bulletin MS15-109) looks to fix multiple issues in all supported versions of Windows OS and Server that could lead to a RCE attack if a specially crafted Web site or e-mail was opened by a user. The issues lie in the Windows Shell and could be exploited if it improperly handles objects in memory. While the flaws could lead to some serious consequences for users, Microsoft has indicated that attacks have yet to be seen in the wild.

The remaining two important items for the month deal with RCE flaws in Microsoft Office and elevation of privilege issues in the Windows Kernel.

For those keeping score, despite the smaller-than-usual number of bulletins for the month, 2015 has already been a busier year than 2014 when it comes to security bulletins. To date we have had 111 bulletin releases, while last year saw only 63 releases for the first 10 months of 2014.

More information on this month's patch can be found here.

About the Author

Chris Paoli is the site producer for and


  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.