Microsoft Fixes Critical IE, Windows, Office Flaws on Patch Tuesday

Redmond on Tuesday released 11 security bulletins -- four critical -- to fix 26 vulnerabilities in its software. Microsoft's April Patch Tuesday follows a heavy load in March that saw 14 bulletins to fix 43 flaws. Altogether, Microsoft has already released twice the number of security updates as it did by this time last year.

The patches cover Internet Explorer, Office, HTTP.sys, the Graphics Component, Sharepoint Server, Windows Task Scheduler, Windows, XML Core Services, Active Directory Federation Services, the .NET Framework and Hyper-V Cloud. Some of the flaws open the door to remote code execution, others allow elevation of privilege.

EUIn terms of Microsoft prioritization, you will likely want to start with MS15-033. The critical bulletin addresses 5 CVEs in Microsoft Office, including a fix of one zero-day vulnerability,EU Russ Ernst, director of Product Management at security firm Heat Software, told us. EUCVE-2015-1641 is currently under attack on Word 2010. The full update addresses Word 2007, 2012 and Word for Mac 2011. A remote code execution could result if a user opened a malicious Office file, giving the attacker full user rights.EU

Pinpointing Bugs

We turned to Craig Young, security researcher for advanced threat detection firm Tripwire, to get his thoughts on AprilEUs Patch Tuesday. He told us along with squashing the typical Internet Explorer and Microsoft Office code execution bugs this month, Microsoft is also plugging a critical, remotely exploitable flaw in its Web server architecture.

EUAt first glance it appears that this flaw is related to IIS kernel caching support as it pertains to processing crafted HTTP request headers,EU Young said. EUItEUs likely that weEUll see this bug being exploited in the wild in a very short timeframe.EU

Young finds it interesting, however, that MS15-034 does not affect the older Windows Server 2003 IIS platform. This indicates the bug was introduced...

Comments are closed.