Microsoft's Patch Tuesday updates block a pair of high-profile exploits

In this month's Patch Tuesday, Microsoft is serving up a dozen security-related updates for Windows, including two fixes for vulnerabilities that have been publicly disclosed. In addition to five Critical security updates, today's list includes fixes for the cross-platform FREAK flaw.

This month's Patch Tuesday is one of the biggest in recent memory, with 14 separate security-related updates going out via Microsoft's update channels. All but two of the updates are for Windows. (Depending on your OS, you'll find a large number of non-security-related updates as well. More details on those when I get them.)

Five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch.

Two of the fixes are for vulnerabilities that have already been publicly disclosed. The good news for Microsoft's Security Response team is that they've cleared all open issues from the Google Project Zero list.

Here's a rundown of the security-related updates in this month's super-sized collection.

MS15-018 is a Cumulative Security Update that addresses an even dozen vulnerabilities and affects all supported versions of Internet Explorer. It includes the fix for a cross-site scripting vulnerability that was publicly disclosed prior to February's Patch Tuesday but didn't make last month's fixes . Another fix is in response to a memory corruption vulnerability that has also been publicly disclosed, although the official CVE page hasn't yet been updated with details.

MS15-019 repairs a scripting vulnerability in some older Windows versions; it doesn't affect Windows 7 and later desktop versions or the equivalent server versions, Windows Server 2012 and 2012 R2.

MS15-020 fixes a flaw in the way Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files. According to some reports, this fix addresses one of the Zero Day bugs originally associated with Stuxnet, in 2010. The National Vulnerability Database entry currently contains no additional details. The Zero Day Initiative, one of two organizations credited with finding the bug, says it disclosed the issue to Microsoft On October 31, 2014.

MS15-021 addresses an issue with the Adobe Font Driver. Both vulnerabilities could theoretically allow remote code execution, although Microsoft's summaries say that possibility is unlikely.

MS15-022 applies to all supported Microsoft Office versions (2007, 2010, and 2013), as well as the server-based Office Web Apps and SharePoint Server products. It fixes three known vulnerabilities in Office document formats as well as multiple cross-site scripting issues for SharePoint Server. The worst outcome allows remote code execution.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read More

Eight of the remaining nine updates affect Microsoft Windows, with the exception being a fix for an issue in Microsoft Exchange Server.

One update resolves a problem with Windows Task Scheduler that could allow a local user to bypass file access controls and run privileged executables. Another fixes a possible denial of service issue that only affects systems where Remote Desktop Protocol (RDP) is enabled. (By default, RDP is off on all Windows versions.)

And then there's MS15-031, which fixes the widely publicized (and cross-platform) Schannel vulnerability, more popularly known as the FREAK technique . This update means Microsoft and Apple platforms are secured, while vulnerable Android versions have yet to be patched. (Update: It took about 36 hours extra, but this patch is now available for Internet Explorer in Windows 10 Technical Preview build 9926. It's reasonable to assume the fix will be built into the next preview release.)

Systems with Internet Explorer 11 (which includes all Windows 8.1 installations) are also receiving an update to the built-in Flash Player code. The security issues fixed by this update are addressed in a separate bulletin, not yet available from Adobe. Oh, and this month's update to the Malicious Software Removal Tool reportedly removes the unwanted Superfish certificate from Lenovo PCs.

In addition to the large number of security-related updates, you'll find a large number of Recommended updates. On a Windows 8.1 installation, I counted 16 separate updates, most of them small. As is customary (and frustrating), most of the associated Knowledge Base articles that explain the reason for each fix were not available hours after the updates themselves appeared on Windows Update.

For details on the contents of those additional updates, see this follow-up post: What was in this month's super-sized batch of Windows and Office updates?

Update: Some Windows 7 PCs are reportedly having problems with one update: KB3033929.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All