IT administrators were blessed with a relatively light patch load this month after what’s been a busy summer, although five of the 12 Microsoft bulletins issued have publicly disclosed flaws, making them a priority.
Of the 12 patches, five are for critical remote code execution vulnerabilities. The usual suspects of Internet Explorer (MS15-094) and the new Edge browser (MS15-095) are affected, along with the Microsoft Graphics Component, Windows Journal and Office.
MS15-097 contains two public disclosures (CVE-2015-2546 and CVE-2015-2529) with the former already detected in attacks in the wild.
“Any vulnerability that has been publicly disclosed is something that you will want to pay close attention to, as public disclosure is an indicator of risk,” warned Shavlik product manager, Chris Goetll.
“Statistically these vulnerabilities are going to have a much higher chance of being exploited.”
There are also several bulletins covering elevation of privilege vulnerabilities – MS15-101, MS15-102, and MS15-104.
“In one case [MS15-102] if an attacker logs onto a system and then uses the task manager in combination with their own running applications, they could potentially assume total control of the target system,” said Core Security principal software engineer, Jon Rudolph.
“Microsoft reports that an exploit of this vulnerability has not yet been seen in public, but it’s an attractive target. Task manager is trusted enough that we all have it, and without this patch, it’s one of the weaker looking links in the chain.”
Windows 10 users should note that although they’re affected by a total of six bulletins, they’ll get one update to deal with them all.
“For those of you still running Server 2003 and on an Extended Support Agreement, expect an update for MS15-097 and MS15-098 this month,” explained Shavlik’s Goettl.
Elsewhere, perennial software patcher Adobe issued a critical update for its Shockwave product on Tuesday. The patch resolves two vulnerabilities which could lead to remote code execution.