It's still 2015, and your Windows PC can still be pwned by a webpage
PATCH NOW – 56 security holes, and at least two are already under attack
Microsoft has today released patches for 56 security vulnerabilities in its products. People should apply the updates as soon as possible because miscreants are actively exploiting at least two of the holes – and likely more by the time you read this.
The September patch batch includes critical fixes for Internet Explorer and Edge, Office, and Windows. Users and administrators are being advised to test and install the updates on the double.
Of the 56 vulnerabilities, 14 in Internet Explorer, four in the supposedly super-whizzbang-secure Edge browser, one in Windows' handling of OpenType fonts, four in Windows' Journal file handling, and four in Microsoft Office, allow an attacker to remotely execute evil code on a victim's system.
Microsoft's September bulletins in full:
- ms15-094: A wad of patches fixing 17 vulnerabilities. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft said.
- ms15-095: The Edge update for Windows 10. This includes four vulnerabilities, "the most severe of [which] could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge," Redmond admitted.
- ms15-096: A patch for Active Directory addressing a single vulnerability allowing for a denial of service attack in Windows Server. Rated "important."
- ms15-097: Critical fixes for 11 vulnerabilities in Windows, Office, and Lync. One of the vulnerabilities is being actively targeted in the wild, and another has been publicly disclosed. "The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts," said Microsoft.
- ms15-098: A batch of patches to remedy remote code execution vulnerabilities in Windows Vista/Server 2008 and later. The update replaces ms15-045 and is rated as "critical." Code execution is possible "if a user opens a specially crafted Journal file," said Microsoft.
- ms15-099: A patch batch to address four vulnerabilities in Office and SharePoint, including remote code execution holes. Opening a malicious document will start the execution of arbitrary code. Microsoft has received reports of lowlifes exploiting the .EPS vulnerability, so unpatched systems running the Office suite are at a higher risk of infection from malware. The vulnerabilities rated by Microsoft as "critical."
- ms15-100: A remote code execution vulnerability in Windows Vista, 7, and 8. "The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code," said Microsoft. This vulnerability was exploited by Hacking Team, we're told.
- ms15-101: An update for two bugs in the Microsoft .NET framework in Windows Vista and later, and Server 2008 and later, that allows a program to gain administrator access. "The most severe of the vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application," Microsoft explained.
- ms15-102: Three bugs in Windows Task Management, allowing for elevation of privilege attacks. "The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application," Microsoft said.
- ms15-103: Patches to address three vulnerabilities in Exchange server. The update has been given a rating of "important" by Microsoft. "The most severe of the vulnerabilities could allow information disclosure if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content," said Redmond.
- ms15-104 An update for three elevation of privilege flaws in Skype for Business server and Lync server. Rated an "important" fix for Lync Server 2013 and Skype for Business Server 2015. "The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL. An attacker would have to convince users to click a link in an instant messenger or email message that directs them to an affected website by way of a specially crafted URL," explained Microsoft.
- ms15-105: A security bypass vulnerability in Hyper-V for Windows 8.1, Windows 10, and Windows Server 2012 R2. "The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to incorrectly apply access control list (ACL) configuration settings. Customers who have not enabled the Hyper-V role are not affected," noted the software giant.
Once the Microsoft updates are in place, users and admins might want to turn their attention to Adobe's critical update for its Shockwave Player. That patch, applicable to Shockwave Player 220.127.116.11 and earlier for Windows, addresses two CVE-listed remote code execution flaws. ®