August Patch Tuesday: Microsoft Releases First 'Critical' Windows 10 Fix
Microsoft is welcoming Windows 10 to its Patch Tuesday festivities by releasing a fix rated "critical" for the new OS.
The first monthly security update from Microsoft since the official release of Windows 10 includes a bulletin item rated "critical" for the OS. Also included are three additional critical bulletins and 10 rated "important," some affecting Windows 10 as well.
While it may sound like a broken record at this point, the top-priority item this month is a cumulative security update for Microsoft's Internet Explorer browser (bulletin MS15-079). The most severe issue dealt with could lead to a remote code execution (RCE) attack, if gone unpatched. In fact, IT will be spending quite some time with RCE fixes this month, as six of the 14 bulletins deal with the dangerous exploits.
"I wish that it was out of the ordinary to have this number of remote code execution vulnerabilities in any given month, but alas it is quickly becoming the norm," commented Bobby Kuzma, CISSP and systems engineer at Core Security. "While you should be diligent and make these patches quickly, the good news is that nothing in this bulletin stands out as needing to be expedited through testing."
Those who have already made the leap to Windows 10 may want to focus on bulletin MS15-091 next. With a new Microsoft browser comes a newcomer to the cumulative security patch game. This item takes care of an undisclosed number of issues in Microsoft Edge browser, including an issue that could lead to an elevation of privilege.
While the risks involved are always higher when it comes to exploits found in Web browsers (compared to other software), this fix will only have a limited impact for those patching due to Edge only running on Windows 10. It will be coming to Windows 7 and 8.1 in the near future.
With the two Web browser fixes out of the way, IT should prioritize bulletin MS15-080 as the next item for deployment. This bulletin, which includes the first Windows 10 critical fix, takes care of a problem that could cause an RCE attack if a malicious Web site containing embedded TrueType or OpenType fonts was visited. All supported versions of Windows OS, Microsoft .NET Framework, Office, Silverlight and Lync are affected.
The final critical item (bulletin MS15-081) looks to resolve vulnerabilities in Microsoft Office, with the most dangerous blocking the chance of an attacker running arbitrary code on a targeted system through an RCE hole. Security firm Qualys' CTO Wolfgang Kandek warns that some Office users will want to patch this right away due to a possible active threat associated with this bulletin.
"CVE-2015-2466 is rated critical on Office 2007 and Office 2010 indicating that the vulnerability can be triggered automatically, possibly through the Outlook e-mail preview pane, and provide Remote Code Execution (RCE), giving the attacker control over the targeted machine," said Kandek via an e-mailed response. "MS15-081 also addresses a vulnerability that is being exploited in the wild, CVE-2015-1642 - so if you run Microsoft Office 2007, 2010 or 2013 you are a potential target."
With the critical items out of the way, IT should tackle the remaining 10 important bulletins on an as-needed basis. Due to the lower threat level, these fixes should only be deployed once adequate testing has finished. More information on them and the rest of August's security bulletins can be found here.