Critical updates to IE and Office for May Patch Tuesday

With this May Microsoft Update Tuesday, we see Microsoft delivering 13 security bulletins, with three rated as critical and the remaining ten rated by Microsoft as important. This month’s releases from Microsoft include an update to Office (and its web components), Internet Explorer and other low level Windows system components. Include the Internet Explorer and Office updates as part of your standard testing and deployment plan. However, I would suggest waiting a little while before deploying MS15-044 as it updates two key system files: GDIPLUS.DLL and Win32K.sys.

I was hoping for a little respite from the ongoing onslaught of large patch updates from Microsoft, but with 13 patches to deploy this month, there is no letup to the continuing drumbeat of security patches and application updates.

MS15-043 -- Critical

The first update, MS15-043, is rated as critical for this May Microsoft Patch Tuesday and relates to a remote code execution vulnerability in Microsoft Internet Explorer that affects all versions of IE from version 6 to version 11. MS15-043 attempts to resolve 22 vulnerabilities relating to memory corruption and security feature bypass issues. As usual, this month's IE update involves a complete code recompile as the patch has been shipped with an updated version all IE's system level DLL’s. This is a critical update and should be a priority for your patch deployment effort.

MS15-044 -- Critical

The second update rated as critical by Microsoft is MS15-044, which relates to a font driver based vulnerability in Microsoft Office, .NET, Silverlight and the Microsoft Lync application. This update sounds pretty benign, but if you look at the the file manifest, it includes some serious low-level files including GDIPLUS.DLL, Win32k.sys, and the two font related caching system files; fntcache.dll and dwrite.dll. This patch needs some extensive testing before a general deployment.

MS15-045 -- Critical

The final update rated as critical by Microsoft for this May patch cycle is MS15-045, which replaces a previous patch (MS15-038) that attempts to resolve a potential remote code execution vulnerability in the Windows Journaling system component. That previous patch didn’t seem to publicly raise any issues due to its small footprint. I expect that this update will have a similarly small deployment profile.

MS15-046 — Important

MS15-046 is a standard Microsoft Office update that attempts to resolve a potential remote code execution scenario when a user opens a specially crafted Office file. The update itself can be large for some environments, and so will require some care for both internal distribution and deployment.

MS15-047 — Important

MS15-047 attempts to resolve a remote code execution vulnerability in Microsoft Sharepoint Server (and its associated Sharepoint Foundation component) when it may improperly clean up memory when handling specially crafted pages. This may seem like a minor update, but the number of files  that are updated in this patch is pretty large. If you are running a large SharePoint environment, I think that this patch could do with extensive user testing before general deployment.

MS15-048 — Important

MS15-048 is a pretty minor update to the Microsoft .NET development framework (all currently supported versions are affected), as a single file is updated in an attempt to resolve an elevation of privilege scenario where an attacker could run a specially crafted application that has already been partially trusted by the affected system. Include this update in your standard patch deployment effort.

MS15-049 — Important

MS15-049 resolves an elevation of privilege vulnerability scenario in the Microsoft Silverlight development platform where an attacker with valid credentials on an affected system could run arbitrary code at an elevated security level. Include this update in your standard patch deployment effort.

MS15-050 — Important

MS15-050 updates a single file, but an important file: SERVICES.EXE which is effectively responsible for managing all applications that do not directly require user input (i.e. background tasks). This update resolves a vulnerability in the Windows Services Control Manager (SCM) where impersonation levels are incorrectly interpreted, which could then lead to an elevation of privilege scenario where an attacker could execute arbitrary code. Include this update in your standard patch deployment effort.

MS15-051 — Important

MS15-051 resolves a vulnerability in the Windows kernel mode drivers, where, if an attacker has the correct credentials, he or she may be able to execute arbitrary code (applications) in the low-level kernel mode on a compromised system. This update has a similar “deployment risk” profile to that of MS15-052.

MS15-052 — Important

MS15-052 addresses a vulnerability in the Windows kernel (a low level Windows system component) that could allow an attacker to bypass certain security features by running a specially crafted application. This update seems innocuous enough, but the patch manifest (list of files included in the update) is quite large and updates a significant number of key system files. This is one of those patches where the risk of “doing something” may outweigh the risk of “not doing something.” I would suggest that you put this at the bottom of your deployment list and wait a little before deploying this update.

MS15-053 — Important

MS15-053 addresses a security issue in the Microsoft VBScript engine where the security feature ASLR could be bypassed by an attacker. The exploitability of this issue is pretty low as it requires an attacker to compromise a system with both this vulnerability and another one to execute malicious code. Include this update in your standard patch deployment plans.

MS15-054 — Important

The penultimate update for May is MS15-054 which resolves a denial of service vulnerability in the Microsoft Management Console (MMC) component. This is a pretty straightforward update and should be included in your standard deployment effort.

MS15-055 — Important

The final patch for this May Update Tuesday from Microsoft is MS15-055 which resolves a security vulnerability in the Secure Channel (SChannel) component where the existing 512-bit Diffie-Hellman ephemeral (DFE) key was considered weak and vulnerable to a number of different attacks. This update to the Microsoft SChannel component increases the key from 512 to 1024-bits. This update should have a minimal impact on your environment and should be included in your standard update deployment effort.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon