Microsoft Patches 23 Critical IE Flaws in Latest Update Round

Written by

Microsoft released 12 security updates in its monthly Patch Tuesday cycle yesterday, addressing 53 vulnerabilities including 23 critical flaws in Internet Explorer.

Of the 12 updates, four are critical and eight are ‘important’ with a lengthy impacted software list.

Experts agree that admins should prioritize MS15-112, which addresses roughly half of the update count by fixing the 23 critical Remote Code Execution issues in IE which can be exploited through a malicious web page – as well as another two.

“As always, IE remains a popular browser which also makes it a favourite threat vector. The good news is none of them are under active exploit at this time,” explained HEAT Software director of product management, Russ Ernst.

“Another browser update comes in with MS15-113, this time for Edge. The critical update addresses four CVEs and is very important for you to check off if you’re in a Windows 10 environment.”

Qualys CTO, Wolfgang Kandek, added that the new Edge browser, introduced in Windows 10, is reassuringly emerging as a much more secure piece of software than its predecessor IE.

He described it as a “solid choice” as your browser “if your users can run all their business applications with it.”

Another top priority is MS15-115, addressing seven Windows vulnerabilities.

“Two of the vulnerabilities are in the font subsystem, which makes them remotely exploitable through web browsing and e-mail and affect all version of Windows, including Windows 10 and RT,” wrote Kandek in a blog post.

MS15-116 should also be addressed as soon as possible by sysadmins as it covers seven flaws in Office Sharepoint, Lync and Skype for Business, which could allow remote code execution.

One of the vulnerabilities covered in this update, CVE-2015-2503, has been publicly disclosed although not actively seen in exploits as yet.

“This vulnerability on its own is not too terrible, but if used in conjunction with other vulnerabilities it could be used to elevate privileges,” claimed Shavlik product manager, Chris Goettl.

Of the remaining ‘important’ updates, three elevation of privilege vulnerabilities, in NDIS (MS15-117), .NET (MS15-118), and Winsock (MS15-119) were flagged as particularly pressing. 

And not to be outdone, Adobe has released another critical update for Flash Player (APSB15-28), its third in the past 30 days. It fixes 17 flaws including code execution and use-after-free bugs.

What’s hot on Infosecurity Magazine?