October has brought a relatively light Patch Tuesday update round for system administrators with Microsoft releasing just six bulletins, although half of these are critical and vulnerabilities covered affect common programs including Office, IE and Windows.
The advent of just six updates covering 33 vulnerabilities will be a welcome reprieve for admins given the number of bulletins so far in 2015 has already exceeded the total for last year.
The count is up to 111 now, versus 85 for 2014, according to Shavlik product manager, Chris Goettl.
Internet Explorer bulletin MS15-106 should be prioritized, bringing 14 fixes for the browser, half of which are critical and could lead to remote code execution if a user visits a malicious website, according to Qualys CTO, Wolfgang Kandek.
One of the vulnerabilities (CVE-2015-6056) has also been publicly disclosed, making it even more urgent to patch.
Next should come the “important” rated MS15-109 and MS15-110, he added in a blog post.
The latter fixes six issues in Office, five of which could result in Remote Code Execution.
“An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors (I get about one e-mail a week offering this type of information),” Kandek wrote.
“MS15-109 is a vulnerability in Windows shell that can be triggered both through e-mail and web browsing and if exploited successfully will give RCE to the attacker.”
Adobe has also been keeping admins busy this quarter with the release of two bulletins.
APSB15-24 resolves 55 flaws in Adobe Acrobat and Reader, and gets a Priority 2, but APSB15-25 resolves 13 vulnerabilities in Flash and is given Priority 1 so it should be addressed immediately.
“With a Flash Player update there will be four total update you need to ensure are delivered across your environment. Flash Player and plug-ins for Internet Explorer, Google Chrome and Mozilla Firefox,” argued Shavlik’s Goettl.
“Google is releasing an updated version to fix 24 vulnerabilities and to support the Flash plug-in. The update is rated as a high priority by Google and with the Flash update included should be towards the top of your priority list this month.”