Microsoft Issues 12 Security Fixes on Patch Tuesday, 5 Critical
Redmond yesterday released 12 new security patches as part of its monthly update to offer protection against malicious attackers. Microsoft is encouraging customers to apply the updates as soon as possible.
Microsoft is patching holes in its Active Directory Service; Microsoft Graphics Component; Windows Journal; Microsoft Office; Windows Media Center; .NET Framework; Windows Task Management; Microsoft Exchange Server; Skype for Business and Lync Server; Edge browser; and Internet Explorer.
Five of the bulletins target critical remote code execution vulnerabilities; seven vulnerabilities are rated important. Most security industry watchers are putting MS15-097, which fixes flaws in Microsoft Office, at the top of the list.
“The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file,” Microsoft said in its security advisory. “An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
We turned to Tyler Reguly, manager of security research at advanced threat protection firm Tripwire, to get his comments on the latest round of patches. He told us the best word to describe this month is probably “vanilla.”
“There's nothing overly fancy or impressive that stands out in the list of updates, it's the usual flavor that we see month after month without anything [exceptional] or unique in the list,” Reguly said.
“In both 2010 and 2013, Microsoft released 106 security bulletins. This was, to date, the highest number of bulletins released in a single year by Microsoft,” he said. “With Microsoft releasing bulletin MS15-105 in September, it'd be a pretty safe bet to say that 2015 will be a record setting year for Microsoft Bulletins.”
Tame by Comparison
Craig Young, security researcher at Tripwire, agreed with the “vanilla” description. He told us the September Patch Tuesday listing is rather tame by comparison to some of the exotic bugs that were fixed over the summer.
“The four memory corruption bugs addressed in the second round of patches for Microsoft Edge however did catch my interest,” he said. "We have a dramatically lower CVE count in the Edge bulletin compared to the IE bulletin.”
This is likely a consequence of how proficient researchers have become with fuzzing IE and may change as researchers revamp their toolkits to target Windows 10 and specifically Edge, Young said.
“Looking at the four Edge vulnerabilities patched in August and the four memory corruption bugs addressed Tuesday, it is apparent that Edge and IE are at least sharing some libraries, if not more substantial components of the Web rendering engine,” he said. “This would seem to reinforce the notion that original security research is still being performed first and foremost on the IE browser.”
Read more on: Patch Tuesday
, Internet Explorer
, Microsoft Office
, Data Security
, Network Security
, Enterprise IT
, Top Tech News
Posted: 2015-09-10 @ 1:04am PT
I think it is all a bit confusing. My computer checks out as ready for 10 but each try has failed! They haven't tried since September 3rd. Sounds like I have missed the bullet again. :)