Microsoft pushes out security updates, plugs holes actively exploited by attackers

Get a copy of the upcoming book "Secure Operations Technology"

Microsoft released twelve patches fixing over 50 vulnerabilities in Internet Explorer, Microsoft Edge, Active Directory Service, Microsoft Graphics Component, Windows Journal, Microsoft Office, Windows Media Center, .NET Framework, Windows Task Management, Microsoft Exchange Server, Skype for Business Server and Lync Server, and Windows Hyper-V.

Of these patches and updates, those for IE, Edge, MS Graphics Component, Windows Journal and Microsoft Office are the most critical ones as they can lead to malicious code execution, and should be applied as soon as possible.

Among the 17 flaws patched in IE, one (CVE-2015-2542) has been publicly disclosed but has not been seen exploited in the wild.

The security update for the Microsoft Graphics Component plugs eleven bugs, including CVE-2015-2546, which has been publicly disclosed AND is being currently exploited by attackers. In order to exploit this bug, the attackers first have to log on to the system and then run a specially crafted app. If they succeed, they can take control of the affected system, and be able to install programs; view, change, or delete data; or create new accounts with full user rights.

Finally, the Microsoft Office update fixes five flaws, including a Malformed EPS File Vulnerability (CVE-2015-2545) that is being exploited in “limited targeted attacks”. The bug can be exploited when a user opens a file containing a malformed graphics image (usually sent via email) or when a user visits a website containing an Office file that is designed to exploit the vulnerability or is boobytrapped with a malicious ad containing the exploit code.

Most of these vulnerabilities have no mitigating factors or workarounds, so updating is crucial to protecting yourself.