All Windows users should patch these two new 'critical' flaws

Updated: One of the patches is being reviewed by Microsoft after reports emerged of bugs and crashes.

Microsoft has released patches for two critical security vulnerabilities that affect every supported version of Windows.

The software giant released the patches Tuesday as part of its monthly release of security updates.

All users running Windows Vista and later -- including Windows 10 -- are affected by two flaws, which could allow an attacker to install malware on an affected machine.

The patch, MS15-112 addresses a memory corruption flaw in Internet Explorer. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.

Users must be tricked or convinced into clicking a link, such as from an email or instant message, which opens a website that contains code that can exploit the flaw.

The software giant's new Edge browser, which runs exclusively on Windows 10 machines, is also affected by the flaw, and has its own separate bulletin, MS15-113.

Windows server systems -- including users running the third-preview of Windows Server 2016 -- are also at risk, but its enhanced security mode helps to mitigate the vulnerability.

The other patch affecting all versions of Windows, MS15-115, fixes a series of flaws that could allow an attacker to remotely execute code on an affected machine by exploiting how the operating system handles and displays fonts. Some of the flaws can only be triggered if an attacker logs on to the affected machine, but some can be triggered by the user visiting a web page that contains exploit code.

Microsoft said the two flaws were not being publicly exploited by attackers.

(Update: The company said Wednesday it was reviewing the patch after a number of users reported bugs and crashes after they installed. We have more here.)

The company said another critical flaw, MS15-114, is a flaw in Windows Journal that affects Windows Vista and Windows 7.

The vulnerability can allow an attacker to remotely execute code on an affected computer if a user opens an exploitable file. Users running lower user privileges are less impacted.

Microsoft also released eight other other patches -- MS15-116 through to MS15-123 -- for "important" issues relating to Microsoft Office, .NET Framework, and Skype.

November's patches will be available through the usual update channels.

This post has been updated.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All