Microsoft today pushed out 12 bulletins as part of November’s Patch Tuesday, including four critical updates, all of which can lead to remote code execution.
The update is rounded out by fixes for Windows, Lync, .NET, and Skype for Business, but there are two critical fixes that affect browsers on practically every build of Windows, Internet Explorer and Edge.
The Internet Explorer bulletin is marked critical for any users running versions of IE 7 to IE 11 and fixes 25 different vulnerabilities, mostly memory corruption bugs that can lead to code execution, in the browser. Assuming an attacker could get a user to view a specially crafted website, they could exploit the vulnerabilities and gain the same rights as the user.
In addition to the memory corruption bugs, three other issues, including an information disclosure vulnerability, an ASLR bypass, and a different type of memory corruption bug–this one in the scripting engines JScript and VBScript–were also fixed.
The update for Microsoft’s Edge browser fixes far fewer vulnerabilities than the IE bulletin, just four overall, but is still marked critical for anyone running Windows 10. Like the IE updates, the Edge bulletin fixes memory corruption vulnerabilities and an ASLR bypass vulnerability that could have let an attacker gain the same user rights as the user.
It’s expected that Microsoft will push its “Fall Update” for Windows 10, bringing the operating system its first functionality upgrade on Thursday, meaning some users may have to wait two days to apply today’s Edge update.
According to Qualys’ Wolfgang Kandek, another critical bulletin, MS15-115, should be users’ number one fix, The update tweaks how Windows handles objects in memory, how a font subsystem, Adobe Type Manager Library in Windows, handles embedded fonts, and how Windows Kernel validates certain permissions. The bulletin fixes seven vulnerabilities that could let an attacker execute code remotely if they could trick a user into opening a document or visiting a page that contains embedded fonts.
“Two of the [seven] vulnerabilities are in the font subsystem, which makes them remotely exploitable through web browsing and e-mail and affect all version of Windows, including Windows 10 and RT,” Kandek said.
The last critical update addresses a heap overflow vulnerability in Windows Journal, a notetaking app on Vista and Windows 7. If an attacker got a user to open a malicious Journal file on an affected version of the app, they could theoretically execute arbitrary code.
While the rest of the bulletins may not be marked critical, experts say they still deserve users’ attention.
Jon Rudolph, a principal software engineer with Core Security stressed Tuesday that fixes associated with a trio of elevation of privilege vulnerabilities in NDIS, .NET, and Winsock are worthy of being marked “Important” and should be cause for concern.
Other fixes this month include an update for Schannel to prevent spoofing through man-in-the-middle attacks, an update to Kerberos to prevent a bypass, and updates to both Skype for Business and Lync that could’ve left users open to malicious JavaScript messages.