Like a Greek poet in Dante’s Inferno, Microsoft’s Patch Tuesday—mysteriously—remains. Microsoft released 14 security bulletins in their August update, six of which apply to the new Windows 10, despite announcing the OS would receive security fixes as soon as they became available. Yet here we are in a sort of patch management purgatory.

The first of the critical bulletins is MS15-081. According to the bulletin, one Office bug could allow remote code execution if a user opens a specially crafted Microsoft Office file. The vulnerability’s (CVE-2015-2466) critical rating may indicate the flaw could be exploited without user interaction, as is the case with most Office vulnerabilities. The bulletin does cite a man-in-the-middle attack scenario as well email and web-based attacks.

Also in MS15-081 is a MS Office memory corruption vulnerability (CVE-2015-1642) which has been exploited in the wild. Office 2007, 2010, and 2013 users beware.

MS15-079 addresses vulnerabilities in Internet Explorer, the most severe of which could allow remote code execution. The patch affects IE versions 6 – 11.

What’s that? You’re still running IE6/7 on Windows 2003? Unfortunately, you won’t be able to patch as Windows ’03 was laid to rest last month in a quiet end-of-life-ceremony. So maybe opt for a non-IE browser—like Edge.

Meet Microsoft Edge, the browser promising a faster, more personalized experience. Edge touts lots of features to make the browser as much as a workspace as a research tool, letting you take in-page notes, clear distracting content, and more. The release has stirred up some controversy though, especially among the tenacious third-place browser, Firefox. Mozilla has cried foul over the difficulty in changing default browser settings, saying it’s an attempt to limit user choice. Firefox 40 is attempting to draw more users with better search engine choice and increased security by certifying add-ons.

And what better way to welcome Edge to the Patch Tuesday team than with a few fixes for RCE vulnerabilities. Check out bulletin MS15-091, and be sure to grab some cake and punch from the break room.

The last critical bulleting patches RCE flaws in Microsoft Graphics Component (MS15-080).

Also of note, MS15-085 contains important fixes for a Windows’ Mount Manager zero-day vulnerability (CVE-2015-1769): “The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it.” So everybody watch their ports.

While the future of Patch Tuesday remains as uncertain now as ever, it seems time for Microsoft to clear the air. It may be possible the monthly update cycle has become so engrained in patch management processes that it’s just too good to do away with. Perhaps a Microsoft cafeteria tradition of “Patch Taco Tuesday” would be in jeopardy if the monthly update were retired.

Whatever the case may be, security practitioners need to know what to expect.

 

Resources

Ever wonder why our Patch Tuesday posts are so … linky? We take you right to the source for security bulletins, infosec news, and our customizable resource—Skybox Vulnerability Center. The Vulnerability Center culls data from more than 20 vulnerability and threat feeds covering 50,000 vulnerabilities on 5,500 products (and counting). Sign up for your free account and start tracking the products and vendors most important to you.

Still catching up on last month? Check out Patch Tuesday news from Microsoft, Adobe, and Oracle and Apache.

See who’s putting you most at risk with our midyear Most Vulnerable Vendor report.