Rumors of Patch Tuesday’s imminent demise have been greatly exaggerated, with Microsoft releasing 13 bulletins yesterday including three critical fixes, addressing 30 vulnerabilities.
MS15-043 should be the first priority for IT administrators, as it addresses 22 vulnerabilities in Internet Explorer relating to memory corruption, ASLR bypass, elevation of privilege and information disclosure.
Next is MS15-044 which resolves two flaws in Windows, .NET, Office, Lync and Silverlight relating to OpenType and TrueType Font which could allow for remote code execution if an attacker crafts docs or web content containing embedded TrueType Fonts.
“This vulnerability has the highest exploitability index for both the latest platforms and application versions, as well as older versions. Given the broad scope of impacted software and the relative ease attackers could turn around exploit code, this update should be deployed quickly,” advised Russ Ernst, director of products management at HEAT Software.
“Also, pay particular attention to MS15-051, an elevation of privilege vulnerability in Windows Kernel Mode Driver. Even though Microsoft ranks this update as important, it’s the only bulletin that addresses an actively exploited vulnerability this month. In all, it addresses six CVEs.”
The final critical update is MS15-045 which resolves six remote code execution vulnerabilities in Windows.
It wasn’t all Microsoft this Tuesday – Adobe, as predicted, announced updates for Acrobat and Reader addressing 34 Priority 1 flaws, some of which could result in remote code execution.
Some 18 CVEs in Flash Player were also addressed and should be patched quickly, given that it’s a favorite attack vector for hackers.
Google has also added to the load for admins with the release of Chrome version 42.0.2311.152.
“The only change in this update is support for the aforementioned Adobe Flash 188.8.131.52 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in,” said Shavlik product manager, Chris Goettl.
Finally, Mozilla announced a Firefox update addressing 15 vulnerabilities, five of which are critical – including a buffer overflow and use-after-free error which could lead to an exploitable crash, he added.