Microsoft September Patch Tuesday: Edge and IE Get RCE Fixes
Microsoft's monthly security update arrived on Tuesday, featuring five "critical" bulletins and seven "important" items to fix 56 flaws.
As is usually the case, IT's priority should be to apply two similar cumulative security updates that covers multiple flaws in both Internet Explorer (bulletin MS15-094) and Microsoft's newest browser, Edge (bulletin MS15-095). This marks Edge's inclusion into Patch Tuesday a perfect two for two after being officially released at the end of July.
The security rollups close multiple remote code execution (RCE) holes that could be exploited based on how the browsers handle objects in memory. One specific vulnerability is a scripting engine memory corruption issue (CVE-2015-2493) that could lead to an attacker gaining access to a system by embedding a malicious ActiveX control that is marked "safe for initialization" in an app or Office document.
While none of the flaws in the two browsers is in active exploitation yet, look for attackers to take advantage quickly, and to target as many systems as they can, commented Wolfgang Kandek, CTO of security firm Qualys, in an e-mailed statement.
"These Remote Code Execution (RCE) vulnerabilities are a mainstay for mass infections that many attack groups look for," said Kandek. "We label them 'opportunistic' because they do not choose their targets specifically, but rather make their money by infecting as many machines as possible."
While attackers have yet to start using the IE and Edge holes to their advantage, the same cannot be said for the next item -- bulletin MS15-097 -- which addresses multiple RCE issues in how Windows, Office and Lync handles certain fonts. Attackers are already actively exploiting an issue that could lead to harmful code to be run on a system if a document is opened with specially crafted OpenType fonts, so get this one patched sooner than later.
The next critical item (bulletin MS15-098) affects all supported versions of Windows OSes and concerns potentially harmful Windows Journal files. According to Microsoft, "for an attack to be successful, the vulnerabilities require that a user open a specially crafted Journal file with an affected version of Windows Journal. In an e-mail attack scenario, an attacker could exploit the vulnerabilities by sending a specially crafted Journal file to the user and by convincing the user to open the file. The update addresses the vulnerabilities by modifying how Windows Journal parses Journal files."
If applying this item might take time, the company recommends that any Journal files sent from an untrusted source not be opened.
Finally this month for critical updates is bulletin MS15-099, which addresses multiple vulnerabilities in Office, with the most severe being, yet again, an RCE issue. Just like the browser fixes, the majority of issues pertain to how the productivity suite handles objects in memory. Along with Office on Windows, those running Excel for Mac, SharePoint Foundation and SharePoint Server 2013 will need to apply these fixes.
The final seven important items include fixes for Active Directory, Windows Media Center, .NET Framework, Windows Task Management, Exchange Server and Hyper-V. Because they are not seen as high of a priority as the critical items, it is recommended that the security updates are applied only on a case-by-case basis and only after adequate testing has been completed. More information on Microsoft's September security update can be found here.