Yesterday's outcome of Microsoft's September Patch Tuesday included five critical bulletins. Two of them deal with remote code execution (RCE) flaws that affect Microsoft Office.
The first bulletin, MS15-097, depicts vulnerabilities in the Microsoft Graphics Component that could allow remote code execution if a user opens a specially crafted document or visits a deceitful webpage that has embedded OpenType fonts.
The most serious patch is for a graphics component buffer overflow vulnerability. CVE-2015-2510 is rated critical for Microsoft Lync, Office 2007 and 2010, and Windows Vista and Server 2008. The flaw is in how the Windows Adobe Type Manager Library handles OpenType fonts and can be exploited by persuading a user to open a specially crafted document or visit an untrustworthy webpage containing embedded OpenType fonts.
MS15-099 is another bulletin for a RCE vulnerability affecting all supported versions of Microsoft Office. The most critical flaw in the bulletin is for a vulnerability that can be exploited if a user is convinced to open a malformed EPS image file.
There is also a bulletin for the new Microsoft Edge browser, MS15-095, for people using Windows 10. The vulnerabilities are also included in the IE patches, and all are rated as critical RCE flaws on supported Windows clients.
The final critical bulletin, MS15-096, covers a Windows Journal flaw that can allow for RCE if a user were to open a specially crafted Journal file. It affects all supported versions of Windows.
Craig Young, security researcher at Tripwire commented, “The September 'Patch Tuesday' listing is rather tame by comparison to some of the exotic bugs we saw fixed over the summer. The four memory corruption bugs addressed in the second round of patches for Microsoft Edge however did catch my interest. We have a dramatically lower CVE count in the Edge bulletin compared to the IE bulletin. This is likely a consequence of how proficient researchers have become with fuzzing IE and may change as researchers revamp their toolkits to target Windows 10 and specifically Edge.”