Celebrating the big 1-2, Microsoft took it easy and released only six security bulletins this Patch Tuesday, three rated critical. With the release of these bulletins, Microsoft breaks its record for most annual updates, previously set at 106 in 2010 and 2013.
The critical bulletins all deal with remote code execution (and are presumably covered in frosting). No vulnerabilities have been publicly disclosed or exploited in the wild.
MS15-106 is the old-reliable Internet Explorer fix, providing fixes for memory corruption, elevation or privilege, and information disclosure vulnerabilities. The patch addresses how Internet Explorer, JScript, and VBScript handle objects in memory, and adds more permission validations to IE.
MS15-108 patches vulnerabilities in scripting engines VBScript and JScript in Microsoft Windows. The bulletin notes traditional attack methods as well as the danger of an attacker “embedding an ActiveX control marked ‘safe for initialization’ in an application in Microsoft Office that uses IE rendering engine to direct the user to the specially crafted website.”
Relegated to the kiddie table are MS15-107, 110, and 111, all rated as important.
MS15-107 is a cumulative patch for the new Microsoft Edge browser. The most severe vulnerability (CVE-2015-6057) could allow information disclosure, giving an attacker resources to further compromise the user’s computer.
MS15-110 provides patches for Microsoft Office programs including Excel, Visio, SharePoint, and select web apps, fixing information disclosure (CVE-2015-2556), XSS spoofing (CVE-2015-6037), and security feature bypass (CVE-2015-6039) vulnerabilities. Though rated as important, successful exploitation could allow remote code execution if a user opens a specially crafted Office file.
MS15-111 addresses vulnerabilities (CVE-2015-2552 and CVE-2015-2553) in Microsoft Windows, the most severe of which could allow elevation of privilege “if an attacker logs on to an affected systems and runs a specially crafted applications.”