Microsoft released 11 security bulletins last night, patching four critical vulnerabilities in Windows, Office and Internet Explorer.
As well as disabling SSL 3.0 in Internet Explorer 11, the four critical patches all fixed remote code execution flaws. The remaining seven patches fixed vulnerabilities rated as “important”.
Russ Ernst, director of product management at HEAT Software, said that patching will want to begin with MS15-033 that addresses five CVEs in Microsoft Office, including a fix of one zero-day vulnerability. “The full update addresses Word 2007, 2012 and Word for Mac 2011,” he said. “A remote code execution could result if a user opened a malicious Office file, giving the attacker full user rights.”
Wolfgang Kandek, CTO of Qualys, also rated this as the first priority, particularly as CVE-2015-1641 is a zero-day and is currently under limited attacks in the wild on Word 2010.
He said: “This a very low security barrier at most organisations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an email with the malicious file attached or linked. If the e-mail is worded well click/opening rates over ten per cent are guaranteed.”
David Picotte, manager of security engineering at Rapid7, pointed at MS15-032 as the next priority, as this addresses ten Internet Explorer CVEs and is rated as “Critical” with exploitation being quite likely however not yet detected in the wild. “Microsoft really need to get Spartan released so that their browser auto patches itself like all the other browser platforms,” he said.
Ernst said: “This is another cumulative update for all versions of IE and patches 10 CVEs, nine of which are critical. The attacker needs users to open a malicious webpage for user rights to then be secured but as we know, this is relatively easy for them to accomplish.”
The other two critical-rated patches are MS15-034 that resolves a vulnerability in Microsoft Windows which could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
Kandek said: “The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8. An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account, the attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code.
“The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the internet.”
Finally, MS15-035 patches a vulnerability in the Microsoft graphics component. Kandek said: “Again the attacker needs user help to execute the exploit, in this case rendering a graphics file. There are plenty of ways to do this, as browsing to a website, opening an e-mail or looking at a fileshare are all possible vectors. Nevertheless this limits exploitation mostly to desktop/laptop machines.
“The vulnerability is also limited to older versions of Windows, such as Windows 7, Vista, Server 2003 and 2008. The latest desktop versions of Windows: 8 and 8.1 are not affected, similar for the Windows Server 2008R2 and 2012.”