As the kiddos return to school, the security community returns from teary-eyed bus stop photo shoots and Labor Day vegetative states to the familiar face of Patch Tuesday. As September marks the second instance a monthly update is released for Windows 10, hopes for a dynamic Microsoft update system have all but faded.
September’s Patch Tuesday contains 12 security bulletins from Microsoft, five of which are rated as critical, and includes some vulnerabilities which are being exploited in the wild. The September bulletins put Microsoft at 105 thus far in 2015, putting them on track for a new company record. With three more months to go in the year, Microsoft will out-update 2010 and 2013, which both saw 106 records, according to a Skybox Vulnerability Researcher.
MS15-094 provides fixes for 17 Internet Explorer vulnerabilities, the majority of which are caused by memory corruption. Successful exploitation of these flaws could result in remote code execution, elevation of privilege, information disclosure or security feature bypass.
MS15-095 patches vulnerabilities in Microsoft’s new Edge browser, the most severe of which could allow remote code execution. CVE-2015-2542 has been publicly disclosed. This memory corruption vulnerability along with all others concerning Edge were also included in the Internet Explorer bulletin, leading some to speculate the old and new guard of Microsoft browsers are sharing some libraries, if not more.
MS15-097 contains the most potentially dangerous vulnerability in the bunch—CVE-2015-2546—which could allow elevation of privileges via the Win 32k memory corruption vulnerability. The vulnerability has been publicly disclosed and is being exploited in the wild.
MS15-097 more broadly addresses vulnerabilities in the graphics component where embedded OpenType fonts could lead to remote code execution. A flaw in how Windows Adobe Type Manager Libraries handles OpenType fonts (CVE-2015-2510) could allow an attacker to “install programs; view, change, or delete data; or create new accounts with full user rights.”
The last of the critical bulletins—MS15-099—contains a vulnerability affecting all Windows versions of Microsoft Office (CVE-2015-2545) in which a malformed EPS file could allow remote code execution. The email-based attack scenario for this vulnerability only requires a user to view a specially crafted email in the Outlook preview pane in order for the flaw to be exploited.