It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities. Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.
From a security perspective we recommend the upgrade to 10, and since it is free, we think many will make the effort of getting onto the next level. We will keep you updated with our numbers as we see both Enterprise (in our Qualys tools) and consumers (in Browsercheck) migrating.
Our highest priority item this month is MS15-081, which addresses Microsoft Office. It is rated critical which is rare for a Office bulletin, as Microsoft typically downgrades a vulnerability when user interaction is required, such as opening a DOCX file. But CVE-2015-2466 is rated critical on Office 2007, Office 2010 and Office 2013 indicating that the vulnerability can be triggered automatically, possibly through the Outlook e-mail preview pane, and provide Remote Code Execution (RCE), giving the attacker control over the targeted machine. MS15-081 also addresses a vulnerability that is being exploited in the wild, CVE-2015-1642 – so if you run Microsoft Office 2007, 2010 or 2013 you are a potential target.
Next is an operating systems update for all versions of Windows. MS15-085 addresses a 0-day vulnerability in the Mount Manager of Windows. It is triggered through a USB stick that gets inserted into the machine and can be used to run code on the target machine. Public exploitation has been detected, and this is a high priority update for all your machines that are not in controlled environments.
Internet Explorer (IE) gets updated in MS15-079. It addresses 13 vulnerabilities, including 10 that have potential for RCE. The vulnerabilities affect all supported operating systems starting from IE7 on Windows Vista through IE11 on Windows 8.1 RT and Windows 10. Note that the combo IE6/7 and Windows 2003 is not listed in the bulletins because Windows 2003 is end-of-life as of last month. You can still count as being affected, as in 2015 every Internet Explorer bulletin had fixes for IE under Windows 2003. It is now only a question of time before an exploit for Internet Explorer comes out that cannot be patched under Windows 2003. The only mitigating factor is that 2003 users probably do not use Internet Explorer all that much since it is a server operating system.
Speaking of browsers, last week v39 of Firefox was under attack through a vulnerability in the built-in PDF reader that allowed the attacker to retrieve files (such as /etc/passwd and command line history files under Linux and Mac OS X) from the machine. Mozilla published v39.0.3, which addresses the problem. Their blog post gives more insight on the issue.
Next up is the monthly Adobe Flash update. APSB15-19 addresses 34 vulnerabilities and all but one are rated as critical, possibly leading to RCE. However, there are no known exploits for Adobe Flash at this point in time. Users of Google Chrome and IE10/11 get their updates through their respective browsers, users of Firefox/Safari/Opera need to update manually by going to Adobe’s site.
Back to our Microsoft list: MS15-080 is an update to Microsoft Font handling that addresses 16 vulnerabilities. It is rated critical and can be triggered through any application that accesses fonts: web browsers, e-mail and documents. All versions of Windows, including 10 are affected. Some of the vulnerabilities also affect other software, such as .NET, Lync, Silverlight and Office that are also listed as affected.
MS15-083 is an interesting RCE-type vulnerability in the SMB protocol, but only affects machines running Vista and Server 2008. If you expose SMB over the Internet on these operating systems this should be high priority for you.
The remaining bulletins all address a smaller set of vulnerabilities in a variety of technologies: XML processing in MS15-084, XSS in Biztalk in MS15-087, SSLv2 man-in-the-middle in WebDAV in MS15-089 and a new version of .NET in MS15-092.
Last but not least MS15-091 gives Windows 10 users a new version of the new Edge browser that addresses three of the RCE vulnerabilities that we talked about in MS15-079.
That’s it for this Patch Tuesday. Let me know what you think about Windows 10 – are you deploying it? What about Windows Server 2003, are you migrated off already?