Microsoft has given plenty of work for sysadmins this month with the release of 14 security bulletins including four critical ones covering over 50 vulnerabilities.
First on everyone’s list according to the experts should be MS15-081, which addresses eight CVEs in Office with exploits already detected in the wild.
The critical rating is unusual for an Office-related fix as Microsoft usually downgrades flaws where user interaction is required, such as opening a document, Qualys CTO, Wolfgang Kandek explained in a blog post.
“But CVE-2015-2466 is rated critical on Office 2007, Office 2010 and Office 2013 indicating that the vulnerability can be triggered automatically, possibly through the Outlook e-mail preview pane, and provide Remote Code Execution (RCE), giving the attacker control over the targeted machine,” he added.
“MS15-081 also addresses a vulnerability that is being exploited in the wild, CVE-2015-1642 - so if you run Microsoft Office 2007, 2010 or 2013 you are a potential target.”
Next is a patch for a zero day vulnerability in the Windows Mount Manager affecting all versions of the operating system. Public exploits have already been discovered so patching MS15-085 is a matter of urgency.
There are 13 vulnerabilities in Internet Explorer addressed in MS15-079 including 10 which could lead to remote code execution, while new Windows 10 browser Edge is patched with the critical MS15-091 to address four CVEs.
Rapid7 manager of engineering and software development, David Picotte, pointed out that Microsoft has implemented a new strategy for patching Windows 10 – the release of a single KB to address all applicable bulletins for the platform.
“For administrators this allows a single patch to be installed for addressing all security issues - greatly reducing the burden of patch implementation,” he added.
“We see this is a very positive step forward for Microsoft and will be interested to see what, if any, additional changes they make to the patch process moving forward.”