Qualys Blog


Patch Tuesday October 2015

Patch Tuesday October 2015 turns out to be a light edition. There are only six bulletins, but all of the important products are covered. We have a critical bulletin for Internet Explorer (but not for Edge), a bulletin for Office that has Remote Code Execution (RCE) vulnerabilities, plus Windows Kernel vulnerabilities that allow for Privilege escalation. Plus an interesting issue in Windows shell that allows for RCE as well. Pretty much everybody, meaning all versions of Windows and Office, are affected except this month there are none of the additional software packages with updates (.NET, server software, etc).

Let’s start with Internet Explorer, which tops the our internal priority list. MS15-106 brings 14 fixes, seven are critical and could lead to Remote Code Execution (RCE) if one of your users browses to a malicious website. Address this bulletin first, on all platforms affected starting with Vista and IE7, up to Windows 10 and IE11.

Both MS15-107 and MS15-108 are related to the Internet Explorer bulletin. MS15-107 is a new version of the new Edge browser, but there are only 2 relatively benign fixes included: an information leak, plus an update for the XSS filter. MS15-108 repackages four of the issues from MS15-106 for machines that run a separate version of JavaScript, mainly Internet Explorer 7.

Both MS15-109 and MS15-110 are more important and deserve your attention. Let’s look at MS15-110 first. It addresses six issues in Office (mostly Excel) with five resulting in Remote Code Execution. An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors (I get about one e-mail a week offering this type of information). MS15-109 is a vulnerability in Windows shell that can be triggered both through e-mail and web browsing and if exploited successfully will give RCE to the attacker.

The remaining MS15-111 addresses local privilege escalation vulnerabilities in Windows, again affecting all versions of Windows starting with Vista all the way to Windows 10. Attackers would use such a vulnerability to gain system level access once they are already on a machine.

In short: patch MS15-106 for Internet Explorer first, then MS15-110 for Excel second. Third the bulletin for Windows Shell MS15-109. The other bulletins are less critical and can be done on your normal patch cycle.

Last but not least Adobe also published an update for Adobe Reader and Flash. APSB15-24 for Reader and APSB15-25 for Flash address a number of critical vulnerabilities (over 50 for Reader) that would allow an attacker to execute code within the context of the user. For Flash we recommend patching immediately. On the other hand Adobe’s Sandbox has been providing additional hardening to its PDF Reader and it has been over a year since we have seen PDF files used in exploits in the wild. Patch with within your normal patch cycle.

Don’t forget that Oracle will have their CPU later this month, on the 20th to be exact. Stay tuned for more updates.

Leave a Reply