There was a mercifully light Patch Tuesday for IT administrators this month, with just eight bulletins released yesterday by Microsoft, two of which are rated critical.
The eight bulletins bring the total count for the year so far to a significant 63.
Experts agree the first update on the list to apply should be MS15-056, an Internet Explorer patch which fixes 24 vulnerabilities, 20 of which are critical. They could lead to remote code execution (RCE) which could be triggered through a malicious web page.
All versions of IE and Windows are affected in this bulletin.
Second priority should be MS15-059, affecting the 2007, 2010 and 2013 versions of Microsoft Office.
“The attacker needs to trick the target into opening a malicious file with Word or any other Office tool and can then take control of the target’s computer,” said Qualys CTO, Wolfgang Kandek in a blog post.
“Microsoft rates this bulletin as ‘important’ but nevertheless we make it one of our higher priority patches. The fact that one can achieve RCE, plus the ease with which an attacker can convince the target to open an attached file through social engineering, make this a high risk vulnerability.”
The other critical update is for Windows Media Player, relating to a vulnerability which could be used to serve up a malicious media file that, if run, will allow an attacker to take control of a victim machine.
MS15-060 is rated only as “important” but the related vulnerability has been publicly disclosed, increasing the chances of it being exploited.
It covers an issue in the Common Controls of Windows, accessible through the Internet Explorer Developer Menu.
“An attack needs to trigger this menu to be successful,” argued Kandek. “Turning off developer mode in Internet Explorer (why is it on by default?) is a listed work-around and is a good defense-in-depth measure that you should take a look at for your machines.”
The other bulletins relate to Windows Kernel problems, Active Directory Federation Services (ADFS) and problems with Exchange Server.
All in all it’s a lighter patch load for admins but there are still dangerous flaws to fix, according to Core Security principal software engineer, Jon Rudolph.
“Overall this month did not have as many security updates, but one interesting change was an update which removes the Windows 10 update reminders after critics last month compared the reminders to adware,” he added.
“Based on the other diagnostic and groundwork updates, the nudging and prodding toward Windows 10 is unmistakable. Who’s ready?”
Another curious item to note from the update round is the absence of MS15-058, which is given a placeholder but not more information, and could potentially be slated for an out-of-bound update shortly.
Finally, Adobe released a patch for Flash addressing 13 flaws, four of which are critical. APSB15-11 should therefore be on the critical list for admins.