Microsoft fixes five critical flaws, including two hitting all versions of Windows

Every supported version of Windows should get an update, fixing two issues: one in Internet Explorer 7 and later, and the other in Windows Journal.
Written by Zack Whittaker, Contributor

You can count this month's most critical patches on one hand. That's the good news.

The bad news is that almost every major Microsoft product requires a patch to fix ongoing security vulnerabilities, including two patches that affect all versions of Windows.

For this month's so-called Patch Tuesday, the company has issued 12 bulletins fixing 56 separate vulnerabilities in some versions of Windows, Microsoft Office, and even the new Microsoft Edge browser

But there are two patches that float to the top.

MS15-094 is the biggest patch of the monthly batch, affecting all supported versions of Windows, including the company's server and tablet operating system lineup. A number of memory corruption flaws in Internet Explorer could allow an attacker to gain access to an affected system, running at the same user privilege level. An attacker would have to trick a user into visiting a carefully-crafted web page in order to exploit the flaw. Although Windows 10 is listed as a vulnerable system, the Edge browser is not affected by the bug.

MS15-098 is another major flaw, affecting all supported versions of Windows. A denial-of-service issue with how Windows Journal handles some carefully-crafted documents could allow an attacker to cause data loss on an affected system. The good news is that it can't allow an attacker to take over the machine.

The other three critical flaws to note include a flaw in Microsoft's new Edge browser. MS14-095 covers a separate memory corruption vulnerability in the new Windows 10-based browser, which could allow an attacker to gain access to an affected machine at the same user privilege level.

MS15-097 is a critical elevation of privilege vulnerability affecting some versions of Windows and some versions of Microsoft Office. The patch fixes an issue that could allow an attacker to exploit a flaw in how affected products handle specially-crafted OpenType fonts. An attacker can gain access to a system through a crafted document or untrusted webpage.

Last but most certainly not least, MS15-099 affects all supported versions of Microsoft Office, specifically because of a flaw in how SharePoint handles links. The cross-site scripting (XSS) vulnerability could allow an attacker to run remote code and scripts on a targeted machine, as well as allowing them to steal sensitive data, like authentication cookies. (Even Mac users running Excel for Mac 2011 and 2016 are affected, and are advised to check for updates.)

Other patches, including MS15-096 and MS15-100 through MS15-105, are all rated "important," affecting Windows, Skype and Lync, and Exchange Server.

The software company acknowledged researchers from Google's Project Zero, Trend Micro, Fortinet, FireEye, Intel Security and HP's Zero Day Initiative among others, for their security work and research.

Sepetember's patches will be available through the usual update channels, like Windows Update.

How to secure your computer and online accounts in 10 simple steps

Editorial standards