Half of Patch Tuesday bulletins cover Windows 10

Half of patch Tuesday fixes cover Windows 10

Half of Patch Tuesday bulletins cover Windows 10
Half of Patch Tuesday bulletins cover Windows 10

Microsoft issued its monthly Patch Tuesday update today with nearly half of its 14 security bulletins addressing vulnerabilities in its newest operating system, Windows 10.

Microsoft issued its monthly Patch Tuesday update today with nearly half of its 14 security bulletins addressing vulnerabilities in its newest operating system, Windows 10.

Two of the four “critical” vulnerabilities impact Windows, while one primarily affects the company's Office offerings. The most severely addressed vulnerability in the Office bulletin could allow Remote Code Execution (RCE) if a user opens a specially crafted Microsoft office file.

“An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user,” Microsoft wrote. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Wolfgang Kandek, CTO at Qualys, noted in a blog post that Office vulnerabilities are rarely classified as critical. The company typically “downgrades a vulnerability when user interaction is required, such as opening a DOCX file,” he wrote. “But CVE-2015-2466 is rated critical on Office 2007 and Office 2010 indicating that the vulnerability can be triggered automatically, possibly through the Outlook email preview pane, and provide Remote Code Execution, giving the attacker control over the targeted machine.”

Critical patch MS15-079 deals with Internet Explorer vulnerabilities that could, in a worst case scenario, allow for RCE if a user views a specially crafted webpage using Internet Explorer. The attacker would gain the same user rights as the current user.

The last critical fix addresses vulnerabilities in Microsoft's new Edge browser that relate to three of the same RCE vulnerabilities in the prior bulletin.

This is the first patch cycle since Windows 10 has been released, and in May, the company said consumers would no longer receive Patch Tuesday updates. Instead, patches would be issued immediately upon becoming available.

The remaining 10 vulnerabilities were rated with “important” severity, meaning the patched bugs could, if left unfixed, compromise the “confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources,” Microsoft wrote on its “Severity Rating System” page.

This article was first published in our sister publication SC Magazine.

In a subsequent email to SCMagazineUK.com, DavidPicotte, manager of engineering, software development at Rapid7 noted that: "Microsoft seems to have implemented a new strategy for Windows 10, as they are now releasing a single KB specific to the platform that addresses all applicable bulletins (in this case 6 of the 14). For administrators this allows a single patch to be installed for addressing all security issues - greatly reducing the burden of patch implementation. We see this is a very positive step forward for Microsoft and will be interested to see what, if any, additional changes they make to the patch process moving forward."

Also calling SCMagazineUK.com to comment was Russ Ernst, director of product management at HEAT Software who noted how in the latest Patch Tuesday bulletin: "Microsoft shared a vulnerability smorgasbord ...– offering a little something for everyone. From office and browser applications to desktops and servers, Microsoft covered them all with 14 bulletins.  If you are a Windows 10 user, Microsoft rolled all six of their fixes into a single Cumulative Update (KB3081436)." He added his own suggestion for priorities to patch: "First on your list ... should be MS15-081. This critical update addresses eight CVEs in Office 2007, 2010 and 2013 and exploits are being detected in the wild now.

"Second on your list should be MS15-079, a critical, cumulative update to Internet Explorer that addresses 13 CVEs in all. With user interaction, attackers could successfully pull off a remote code execution could result in the attacker gaining full user rights.

"And speaking of web browsers, if you're using Windows 10, Microsoft has also updated their new browser, Edge. Said to be the new IE, this new browser is already under attack and critical-ranked MS15-091 addresses 4 CVEs. And, for all the Adobe Flash users out there, you will want to update with APSB15-19. Published today, this update fixes 34 vulnerabilities in Flash Player, including fixes for Flash Player for Edge. There are no active exploits known at this time but it of course won't be long.

"For those using all legacy versions of Windows, MS15-080 should be third on your list of priorities. It is another critical patch that addresses 16 vulnerabilities across .NET, Office, Lync and Silverlight in all legacy versions of Windows and Windows 10.

"And lastly, another zero-day is addressed with MS15-085 and should also be high on your list of priorities, even though Microsoft ranks it as important. This update addresses CVE 2015-1769 in Mount Manager that could allow an elevation of privilege. To accomplish it, attackers need to insert a malicious USB.

"Since the launch of Windows 10 on July 29, the mandatory update policy is giving many users heartburn. UpdateKB3081424 released last week reportedly has problems. Forum users report it reaches various percentages of installation before failing, causing the machine to continually reboot. If you're using the new OS, proceed with caution. With the Windows 10 cumulative update approach, be sure to thoroughly test in your environment before applying this all or nothing update."