Microsoft fixes critical flaws in all versions of Windows and Office

This month’s Microsoft Patch Tuesday brings fixes for 33 vulnerabilities.

Nearly half of those are found in Internet Explorer, and most of them are critical as they could lead to remote code execution and are easily exploitable – the victim only needs to visit a malicious website, so users would do well to implement that patch first and with haste.

Luckily, none of the vulnerabilities are actively exploited in the wild.

Another critical update is that for JScript and VBScript scripting engines in Microsoft Windows.

“The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that uses the IE rendering engine to direct the user to the specially crafted website,” the company explained.

“An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user and, if the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

MS15-109 and MS15-110 are two updates that are also deemed critical. The former fixes flaws in Windows Shell that could lead to remote code execution, and is intended for all supported releases of Windows. The latter resolves a number of issues in Microsoft Office, most of which – you guessed it – could lead to RCE.

“An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors (I get about one e-mail a week offering this type of information),” Qualys CTO Wolfgang Kandek pointed out.

The remaining two updates are for Microsoft Edge and for the Windows kernel, and are less important, so you can take your time in implementing them.

Don't miss