Windows and Office get four Critical updates for Patch Tuesday

It's another Patch Tuesday, with this month's update including a slew of security fixes in a cumulative update for Internet Explorer. The most important patch on the list blocks an Office exploit that's already being used in "limited attacks" in the wild.
Written by Ed Bott, Senior Contributing Editor

If you use Windows and Office, be prepared for another bumper crop of updates this month. On a fully patched Windows 8.1 PC, I just counted 12 Important updates for Windows (including the Malicious Software Removal Tool) and another 9 updates for Office 2010. For Windows 7, the corresponding Patch Tuesday list is a bit longer, with a total of 12 updates for Windows.


The good news is that this month's collection of security bulletins includes only four rated Critical. The balance are four security issues rated Important, with the usual smattering of mysterious performance and reliability updates whose documentation hasn't yet been published.

First up is a Cumulative Security Update for Internet Explorer (3038314) (MS15-032). This update addresses 10 separate vulnerabilities and is rated Critical for every supported version of Internet Explorer on desktop versions of Windows and Important for IE on servers (where the default configuration makes exploits more difficult).

MS15-033 blocks a "use after free" vulnerability that could lead to remote code exploitation when opening a "specially crafted" (i.e., booby-trapped) Office document. It's rated Critical for Word 2007 and Word 2010 but Important for Office 2013. Microsoft says it is "aware of limited attacks that attempt to exploit this vulnerability" in the wild.

Interestingly, the bulletin is also applicable to Office on the Mac, with Office 201l and the new Outlook for Mac for Office 365 on the list of affected software.

MS15-034addresses a vulnerability in HTTP.sys. It applies to all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

The final Critical security update, MS15-035, isn't needed on systems running Windows 8.1 or Windows Server 2012 and later, but does apply to Windows Vista and Windows 7 as well as Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2. It patches a vulnerability that could allow remote code execution when a user is fooled into clicking a malicious Enhanced Metafile (EMF) image file.

Although the raw number of updates might sound high, it represents a big drop from last month, when some PC users saw 50 or more updates on Patch Tuesday.

The Office update is worth applying immediately. Those with a cautious approach to updates might want to wait a few days to see whether any of this month's crop cause problems.

Editorial standards