September can bring unsettled weather and likewise a large variation in the number of Microsoft updates. For this September Patch Tuesday, we see a moderate update, with 12 patches, five rated as critical and the remaining seven rated as important. To put this month's release in context, we saw Microsoft release four updates in September 2014, but a whopping 14 updates in September 2013. This month we are seeing significant and critical updates to both Microsoft Internet Explorer and the new Edge browser. Last year, I suspected that the patch team had a nice break in August. This year it looks like there’s been no such let-up in activity.
MS15-094 — Critical
The first update rated as critical by Microsoft for this September Patch Tuesday is MS15-094, which attempts to resolve 17 vulnerabilities in Microsoft Internet Explorer (IE). These issues at worst may lead to a remote code execution scenario where IE may not handle VBScript and JScript objects in memory correctly, leading to an attacker achieving the same rights and privileges as the logged on user. This, like previous IE attempts to resolve multiple memory corruption issues, will require a complete update to all downloaded IE desktop code. This is a "Patch Now" Microsoft update.
MS15-095 — Critical
The patch MS15-095 is the second critical update from Microsoft for September, and the second security update for Microsoft's new browser Edge. This update addresses four memory corruption vulnerabilities that could lead to a remote code execution scenario. In both the case of IE and the new Edge browser, a specially crafted Web page could allow an attacker to compromise a desktop system and employ the same rights as the logged in user. Microsoft has not posted any mitigating workarounds for Edge. This update, like the IE patch, is a "Patch Now" update from Microsoft.
MS15-097 — Critical
MS15-097 addresses 11 reported issues in the core Windows Graphics component that affects a rare profile of platforms for this type of issue. Only Windows Vista and Server 2008 and versions of Office ranging from versions 2007 to 2013 are rated as critical by this font-handling security issue. The remaining platforms of Windows 7 and later server platforms are rated as important. If you are running a modern operating system (i.e. Windows 7 or later), then add this update to your standard deployment schedule.
MS15-098 — Critical
The fourth critical update MS15-098 relates to the attempted resolution of five remote code execution vulnerabilities in the Windows Journal system component. The Windows Journal file format (.JNT) goes back to the early attempts at creating a tablet experience with Windows XP and Vista. This format (now XML-based) is still available in Windows 8.x, 10, and server systems and if compromised by these vulnerabilities could lead to an attacker having the same rights as the logged-on user. If you are not using Windows Journal features in your environment, Microsoft recommends to remove the .JNT file type extension or disable the features through the "Turn Windows Features on or off" tab in the Table PC Components control panel applet. I am not sure how many people are using this feature, but it cannot be that many. Add this update to your standard deployment schedule.
MS15-099 — Critical
The final critical update from Microsoft for September is MS15-099, which attempts to resolve five remote code execution vulnerabilities in Microsoft Office. This update affects Office 2007 all the way through to Office 2013 (including RT) and also the Mac versions of Office 2011 and 2016 and deals with a number of privately disclosed memory corruption issues. This update handles three basic classes of issues: memory corruption, XSS Spoofing vulnerabilities and an image file (EPS) exploit. Microsoft has included a mitigation strategy for the image file (EPS) through restricting access to the EPS image file handling filter (EPSIMP32.FLT). I strongly suggest including this update in your normal patch deployment schedule rather than locking down single or isolated system files.
MS15-096 — Important
MS15-096 is the first important update for September and it attempts to resolve a single vulnerability in Microsoft Active Directory. Due to the nature of Active Directory, this update only affects Microsoft server platforms including Server 2008 (Rx) and Server 2012 (Rx). This privately reported vulnerability could lead to lower risk Denial of Service security issue. Add this Microsoft update to your standard server update schedule, noting that it will require a server restart.
MS15-100 — Important
MS15-100 — the hundredth patch from Microsoft in 2015 — is rated as important as it appears to address a single vulnerability in Microsoft Windows Media center. This vulnerability could lead to a potential remote code execution scenario. Although this may seem like a low risk update to a lesser Windows component, there has been a publicly disclosed exploit for this issue, and therefore this update should be included your priority patch deployment effort.
MS15-101 — Important
MS15-101 relates to two reported vulnerabilities in the Microsoft .NET framework affecting all currently supported versions (2.x to 4.5.2). This important update essentially affects all Microsoft desktop and server platforms at a core component level. With a publicly disclosed exploit for an elevation of privilege security risk, this patch should be included in your priority patch deployment schedule.
MS15-102 — Important
MS15-102 addresses three privately reported vulnerabilities in the Windows task management system. However, although this update affects all supported Microsoft desktop and server platforms, a number of user-driven steps are required to expose these vulnerabilities, and at present, there are no publicly documented exploits. Add this update to your standard patch deployment schedule.
MS15-103 — Important
MS15-103 addresses three privately reported vulnerabilities in Microsoft Exchange 2013 that could lead to a lower risk information disclosure scenario. This is therefore a lower risk patch, but it does require a complete system restart. Add this update to your standard exchange maintenance program.
MS15-104 — Important
MS15-104 attempts to address three privately reported issues in the recently released Skype for Business (formerly Lync Server) which could lead to an elevation of privilege scenario if a user clicks on a specially crafted instant message containing a URL. This is another lower risk update, and so add this update to your standard server maintenance program.
MS15-105 — Important
The final update for this September Patch Tuesday is MS15-105, which resolves a single privately reported vulnerability in Microsoft Hyper-V which could result in compromising a system's Access Control Lists (ACL). This is a lower risk update that should be included in your standard server patching program.