Your Windows PC has a critical security flaw

With only six security bulletins October is a relatively light month for a Microsoft Patch Tuesday.

Four vulnerabilities are addressed in MS15-108, none of which have been publicly disclosed; Microsoft said it also not aware of public exploits. “This is a pretty standard mix of Web and file format vulnerabilities requiring a few degree of user interaction or user error”.

As for today’s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.

Back in May 2014, Microsoft announced the availability of an update for its.NET Framework that disables the rather decrepit RC4 algorithm in Transport Layer Security (TLS), which is now regarded as insecure. It is also worth noting that there is no indication of any of the patched vulnerabilities being exploited prior to Patch Tuesday. This critical bulletins affect IE versions 7 and up on Windows Vista, Windows 7, Windows 8/8.1, and Windows 10.

Microsoft said its security update is rated “Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers”.

One of Rudolph’s peers at Core Security, Bobby Kuzma, stresses that the high volume of JScript and VBscript vulnerabilities should prompt Microsoft to adopt a disabled-by-default strategy for these technologies until or unless they can be completely removed from the Windows OS. In other words, much of the Microsoft ecosystem is vulnerable to these remote code execution flaws.

Microsoft’s new Edge browser does not contain the same vulnerability, the company said. “An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheet is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors”.

Microsoft said the “remote code execution flaw” in its Internet Explorer web browser “exists in absolutely all Windows versions now on the market”.

Microsoft released 6 security bulletins, resolving a total of 19 vulnerabilities.

Other than the MS15-106 patch, the two other “critical” patches issued by Microsoft on Tuesday include MS15-108 and MS15-109, which fix a few other serious security flaws in Windows.

“This month is dominated by remote code execution vulnerabilities enabling information disclosure if a user opens/visits specifically crafted content”, warns Adam Nowak, Rapid7 Active Lead Engineer.

The patch modifies how IE, JScript and VBScript handle objects in memory, and adds additional permission validations to IE, Microsoft said.