Spring is here! Time to get out and smell the roses. Oh, wait—you’re in charge of patch management. Never mind. Sit down.

Microsoft’s April Patch Tuesday batch contains 11 security bulletins, four that contain critical fixes to remote code execution flaws. Patches cover 26 vulnerabilities, some of which have been exploited in the wild. So what’s at risk?

Anything Worthwhile in Office

MS15-033 is priority numero uno for patch management teams as it contains a zero-day vulnerability fix (CVE-2015-1641) involved in some wild attacks in Word 2010 and affects other versions as well. Interestingly, Microsoft has only knighted this bug as “important” rather than “critical” because users must open a malicious file first—and who ever does that? It’s only among the top five causes behind data breaches (opening bad files takes the fifth, third, and second spots by various mechanisms).

Basically this is Microsoft using the “it’s not me, it’s you,” method to ranking vulnerabilities. One more reason to assess vulnerabilities by more than severity ratings.

The Office bulletin also contains two other of the critical vulnerabilities (CVE-2015-1649 and CVE-2015-1651), both allowing remote code execution. These vulnerabilities can be exploited by simply viewing an email in Outlook’s preview pane. The problem stems from the auto-rendering of RTF files, which has been a problem before (CVE-2014-1761).

So get cracking on those Office patches. And in the meantime, don’t open Word files or look at Outlook emails.

Windows-Based, Internet-Connected Webservers

Let’s turn our attention to the server side of things. Patch MS15-034 addresses another remote code execution vulnerability (CVE-2015-1635). After running code on an IIS webserver, an attacker can then piggyback on an elevation of privilege vulnerability to gain administrator status. Then what can’t he do (maybe he’ll take over those pesky system logs piling up)?

God, What Else?

No surprise here—MS15-032 contains Internet Explorer fixes covering 10 vulnerabilities (nine critical) on versions from IE6-11.

April also sees patch updates from Oracle in their quarterly Critical Patch Update fixing 100 vulnerabilities across the software spectrum, including Java, Oracle Database, and MySQL. Oracle has fixed a lot of their products that use OpenSSL and various Apache products. Additionally, the Vancouver PWN2OWN competition last month spurred Adobe, Mozilla, and Google Chrome to release patches to their software. APSB15-06 should rank highly on your to-do list as it patches a flaw exploited in the wild (other bulletins from Adobe: ASPB15-07 and APSB15-08). Chrome 42.0.2311.90 fixes 13 vulnerabilities; Mozilla Firefox 36.0.4 is out as well.

Future Patch Tuesdays will likely look more like this month’s beefed-up version, as top vendors fall in line with the Microsoft cycle. The good news is more patches will come at one time; unfortunately, that may be the bad news as well.

So vulnerability management personnel, maybe it’s not so bad April’s a rainy month—you’ll be spending a lot of time indoors anyway.



Feeling overwhelmed? Check out this short video on how Skybox Vulnerability Detector uses network context and risk analytics to prioritize vulnerabilities.

Want to see more? Attending RSA? So are we! Come see us for live demos, tech talks, and GoPro giveaways, and more.