Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Microsoft release four critical patches in batch of 11 on Update Tuesday

by The Gurus
April 15, 2015
in Editor's News
patch
Share on FacebookShare on Twitter

Microsoft released 11 security bulletins last night, patching four critical vulnerabilities in Windows, Office and Internet Explorer.
 
As well as disabling SSL 3.0 in Internet Explorer 11, the four critical patches all fixed remote code execution flaws. The remaining seven patches fixed vulnerabilities rated as “important”.
 
Russ Ernst, director of product management at HEAT Software, said that patching will want to begin with MS15-033 that addresses five CVEs in Microsoft Office, including a fix of one zero-day vulnerability. “The full update addresses Word 2007, 2012 and Word for Mac 2011,” he said. “A remote code execution could result if a user opened a malicious Office file, giving the attacker full user rights.”
 
Wolfgang Kandek, CTO of Qualys, also rated this as the first priority, particularly as CVE-2015-1641 is a zero-day and is currently under limited attacks in the wild on Word 2010.
 
He said: “This a very low security barrier at most organisations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an email with the malicious file attached or linked. If the e-mail is worded well click/opening rates over ten per cent are guaranteed.”
 
David Picotte, manager of security engineering at Rapid7, pointed at MS15-032 as the next priority, as this addresses ten Internet Explorer CVEs and is rated as “Critical” with exploitation being quite likely however not yet detected in the wild. “Microsoft really need to get Spartan released so that their browser auto patches itself like all the other browser platforms,” he said.
 
Ernst said: “This is another cumulative update for all versions of IE and patches 10 CVEs, nine of which are critical. The attacker needs users to open a malicious webpage for user rights to then be secured but as we know, this is relatively easy for them to accomplish.”
 
The other two critical-rated patches are MS15-034 that resolves a vulnerability in Microsoft Windows which could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
 
Kandek said: “The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8. An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account, the attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code.
 
“The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the internet.”
 
Finally, MS15-035 patches a vulnerability in the Microsoft graphics component. Kandek said: “Again the attacker needs user help to execute the exploit, in this case rendering a graphics file. There are plenty of ways to do this, as browsing to a website, opening an e-mail or looking at a fileshare are all possible vectors. Nevertheless this limits exploitation mostly to desktop/laptop machines.
 
“The vulnerability is also limited to older versions of Windows, such as Windows 7, Vista, Server 2003 and 2008. The latest desktop versions of Windows: 8 and 8.1 are not affected, similar for the Windows Server 2008R2 and 2012.”

Tags: FlawMicrosoftPatchVulnerability
ShareTweet
Previous Post

Microsoft disables SSL 3.0 in patch for Internet Explorer 11

Next Post

Websense announces partnership with Boldon James to boost DLP solutions

Recent News

geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026
Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

Q&A: Solving Synthetic Media Challenges Before All Trust is Lost

July 1, 2026

Huntress Launches Managed ISPM as Identity Attacks Drive 79% of Severe Security Incidents

June 30, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol