Patch Tuesday as we know it may be on its last legs, but it’s certainly not going quietly.
A little more than a week after Microsoft announced how it would revamp patch distribution and security updates starting with Windows 10, the company today released its scheduled round of bulletins—13 in all, including three critical updates for vulnerabilities in Internet Explorer, Microsoft Font Drivers, and Windows Journal, all of which lead to remote code execution.
With Windows 10 due before the end of the summer, admins had better start thinking about revamping their patch assessment and prioritization processes if they’re going to upgrade to the new version of the Windows OS. With Windows Update for Business, patches will be available as they’re ready, and features built into the tool will allow IT managers to decide which machines are patched on quicker cycles, and which have to wait until testing is complete, for example.
That doesn’t mean the vulnerability parade is likely to let up; Qualys for example, says that the pace of this year’s bulletins and patches has already exceeded each of the last five years and figures to top 150 by year’s end.
Today’s update runs the usual spectrum of products affected by the respective bulletins. The almost-habitual Internet Explorer cumulative update, MS15-043, is likely the highest priority; it patches 22 vulnerabilities that enable not only remote code execution, but also security feature bypasses, information disclosure and elevation of privileges. For Windows clients, most of the IE bugs are rated important by Microsoft; those rated critical include 14 memory corruption vulnerabilities in IE6-11. The bulletin also takes care of a number of ASLR bypass vulnerabilities in IE or VBScript and an IE Clipboard information disclosure issue.
MS15-044 patches more TrueType font vulnerabilities, this time in Windows, .NET, Office, Lync and Silverlight, and fixes how the Windows DirectWrite library handles TrueType and OpenType fonts. TrueType font vulnerabilities have caused trouble before; in 2013, Microsoft patched a separate vulnerability that led to kernel compromises and remote code execution. Font-parsing vulnerabilities have also been part of high-profile APT-style targeted attacks, including Duqu.
The TrueType bug is the more serious of the two, and could lead to remote code execution if the respective products fail to properly handle TrueType fonts, Microsoft said. The OpenType bug is an information disclosure flaw and could allow an attacker to read data meant to be private; hackers could not exploit this to run code or elevate privileges, Microsoft said.
The final critical bulletin, MS15-045, is another remote code execution issue, this time in Windows Journal, Microsoft’s note-taking program, and can be exploited if a user opens a malicious Journal file. The bulletin patches six vulnerabilities; Microsoft proposes a temporary workaround of either not opening Journal files or removing the .jnt file association.
“The vulnerability with Windows Journal is particularly interesting in the target scenario, where an administrator is opening a journal file to determine or diagnose a problem, and the tools we’re given to manage problems are at the same time being used to penetrate the target host, and open you up for further attacks,” said Jon Rudolph, principal software engineer at Core Security. “This most likely would not be aimed at the typical user, but someone with admin permissions.”
Experts warn that the Office bulletin MS15-046, though rated important, should merit a second look because it enables remote code execution, as does the SharePoint bulletin, MS15-047.
The Office and SharePoint bulletins, however, are replacements for a number of older bulletins released earlier this year. If admins have not yet applied the older updates, they need apply only today’s.
Another bulletin rated important that deserves extra attention is MS15-051, which patches six elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers, one of which, CVE-2015-1701, has been publicly disclosed and Microsoft said it is aware of limited targeted attacks going after this bug. The patch addresses an issue where the kernel-mode driver improperly handles objects n memory; an attacker with local access could then run code in kernel mode.
The remaining Important bulletins are as follows:
- MS15-048: Patches elevation of privileges vulnerabilities in .NET
- MS15-049: Patches elevation of privileges vulnerability in Silverlight
- MS15-050: Patches elevation of privileges vulnerability in Service Control Manager
- MS15-052: Patches security feature bypass in Windows Kernel
- MS15-053: Patches security feature bypass vulnerabilities in Jscript and VBScript scripting engines
- MS15-054: Patches denial of service vulnerability in Microsoft Management Console file format
- MS15-055: Patches information disclosure vulnerability in Schannel