Microsoft has provided a brief respite to the now regular patch onslaught, with a relatively small cohort of six updates for this October Patch Tuesday. With three rated as critical by Microsoft and the remaining updates rated as important, this set of updates affects IE, Windows desktop and server systems and some Office components.
We are now seeing some real interest from a number of vendors trying to get a better handle on the Patch Tuesday update process. This month, both Shavlik and Unidesk have released some really helpful infographics on the risks and costs of patching your systems every month.
MS15-106 — Critical
The first of three critical updates for this October Patch Tuesday is MS15-106 which relates to a number of memory handling vulnerabilities in Microsoft Internet Explorer (IE) that could lead to a remote code execution scenario. Taking the lion’s share of the reported issues for this October release, this update attempts to resolve 14 memory corruption issues in how IE handles security permissions and JScript and VBScript objects in memory. This update affects IE 7 through to IE 11, but excludes Microsoft’s latest browser Edge. Make this update a priority for your patch deployment efforts for this month.
MS15-108 — Critical
The next critical update for October appears to be paired with the memory corruption issues found in MS15-106. MS15-108 attempts to resolve four privately reported issues dealing with memory problems in the Microsoft scripting languages Script and VBScript, which, like the update to IE, could lead to a remote code execution scenario. In addition to these two vulnerabilities, an attacker could use specially crafted Web pages containing malignant ActiveX controls to run arbitrary code in the user context. Add this update to your priority deployment effort.
MS15-109 — Critical
The final Microsoft update rated as critical for this Patch Tuesday is MS15-109, which attempts to resolve two privately reported vulnerabilities in the core Windows Shell component. These two vulnerabilities relate to a memory corruption and a tablet component memory allocation issue. Microsoft has offered some mitigation measures through removing security access to specific files (TipBand.DLL) but given the deployment costs of rolling out file-level changes to desktop builds, a tablet specific application testing plan may be more effective. Given the core nature of this component, but the relatively low “surface area” of these two issues, add this update to your standard patch deployment effort.
MS05-107 — Important
The first update rated as important by Microsoft, MS15-107, deals with two privately reported security issues in Microsoft’s new browser for Windows 10, Microsoft Edge. This update affects both the 32 and 64-bit versions of Edge and relates to a number of security handling features which could be bypassed by an attacker, in the worst case scenario leading to an information disclosure scenario. The fact that we are only seeing these kinds of patches for Edge is a testament to the planning and effort put into making security a real priority in Microsoft’s new browser technology. If you are a consumer, you will receive this update as part of the Windows 10 update process. I am not sure how this update should be handled. Some thinking on deployment at this early stage of Edge’s lifecycle would be beneficial.
MS15-110 — Important
The penultimate update for October is MS15-110, which attempts to address six vulnerabilities in Microsoft Office (PC versions 2007 to 2013, and 2011 to 2016 for Mac) that could lead to remote code execution scenario. As for most Microsoft Office related security issues, a user must open a specially crafted Office file to allow an attacker access to their system. Add this update to your standard deployment schedule.
MS15-111 — Important
The final update MS15-111 is rated as important by Microsoft. Unfortunately this patch updates a very important component, the Windows Kernel. The Windows Kernel is a key system component, which pretty much drives all the other subsystems in modern Microsoft operating systems. This update affects all versions of Windows (desktop, server and server core). I am a little hesitant about this patch. Updating the Windows Kernel is a big deal, and with only five privately reported issues, and no known exploits in the wild, I suggest a comprehensive testing regime before deployment. Maybe wait a few days, and then start with the IT department.