Administrators and security teams are in for a busy day tackling 11 Microsoft security bulletins, Adobe updates and Oracle has pre-announced that their quarterly update scheduled to be released later today, will contain several critical updates to their portfolio of products; namely Java and databases.
Of the 11 Microsoft bulletins, 4 are rated as “Critical” and affect virtually all supported desktop/server platforms and all supported installations of MS Office (including Office for Mac 2011). These 11 bulletins address 26 CVEs, with the exploitation of CVE-2015-1641 being detected in the wild, this bulletin is known as MS15-033 and addresses a publically disclosed Office memory corruption vulnerability.
Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user. As were all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.
MS15-032 addresses 10 Internet Explorer CVEs and is rated as “Critical” with exploitation being quite likely however not yet detected in the wild. Microsoft really need to get Spartan released so that their browser auto patches itself like all the other browser platforms.
The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V. The Hyper-V bulletin (MS15-042 – CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur.
Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as “less likely” by Microsoft.
Just to increase the fun factor for administrators, Adobe released APSB15-06 a high priority security update for Flash that addresses 22 CVEs and impacts all previous versions on both Windows and Mac operating systems. Other Adobe products receiving lower priority updates are ColdFusion and Flex.
Author: David Picotte, manager of security engineering at Rapid7.