Microsoft has used the last Patch Tuesday for the now unsupported Windows Server 2003 to hit sysadmins with a hefty workload of 14 bulletins – four of them critical – patching 59 vulnerabilities.
The four critical updates include a patch for Internet Explorer (MS15-065) which covers a whopping 29 vulnerabilities including remote code execution flaws.
Also high on the list for IT admins should be MS15-066, which patches a vulnerability in the VBScript Scripting Engine which could also allow remote code execution (RCE), and MS15-067, which patches an RCE flaw in the Remote Desktop Protocol.
Rounding out the critical updates is MS15-068, which addresses two vulnerabilities in Windows Server Hyper-V which could allow RCE.
“These vulnerabilities are much more general and applicable, but require a bit of setup on the part of the attacker,” explained Core Security principal software engineer, Jon Rudolph.
“If a victim can be convinced to plant a malicious and untrusted dll in a certain location and then run an executable, the untrusted dll may be loaded and the attacker may gain control of the victim’s system. Because this vulnerability does not rely on a particular product or service and it spans many Windows releases, it makes it a tempting target for attackers that can tee it up correctly.”
Others worth noting are MS15-070, an ‘important’ update which addresses eight flaws in Office allowing for RCE, one of which has been used in targeted attacks and so must be patched straightaway, according to Shavlik product manager, Chris Goettl.
MS15-058 on the other hand, was left over from last month. This important update, fixing RCE flaws in SQL Server, should be thoroughly tested first, he recommended.
Also noteworthy is MS-15-073, which fixes several elevation-of-privilege flaws in the Windows Kernel-Mode Driver including one which was exploited by Hacking Team.
On that note, Adobe has patched the two remaining Flash bugs exposed in the Hacking Team data dump.
“This one will be urgent. Flash needs to be updated on the OS and in each of the major browsers, so there are really four updates necessary to fully resolve these vulnerabilities,” said Goettl.
“Adobe also released updates for Acrobat, Reader and Shockwave. Shockwave is also a Priority 1.”
Not to be outdone, Oracle also released its quarterly CPU on Tuesday, featuring a fix for the first Java flaw found in two years.