Twelve updates are expected to provide more security for Microsoft applications in September 2015. With the cumulative security update MS15-094 Microsoft closes several vulnerabilities in the in-house browser.
The most serious vulnerabilities in Internet Explorer (IE) would allow code to be run from outside the network on the vulnerable computer (Remote Code Execution, RCE). To do this, the attacker has to lure his victim onto a specially adapted website.
Among other things, the security update changes how Internet Explorer, JavaScript, and Visual Basic Script (VBScript) handle memory-dumped objects. Particularly vulnerable are browser installations from IE 7 to IE 11 on Windows clients. If the application is on a Windows server, the risk is considered moderate.The new Microsoft Edge browser project under Windows 10 also has critical security vulnerabilities that may favor potential RCE attacks. Again, there are problems with the handling of storage objects, which should be resolved with the security bulletin MS15-095 .
Office with multiple vulnerabilities
The patch MS15-097 fixes vulnerabilities in Windows and Microsoft Office and Lync. The most threatening vulnerability allows remote code execution. To do this, the user must open a web page with embedded, manipulated OpenType fonts or a customized document.
Affected are all supported OS variants of Windows Vista and Windows Server 2008. Vulnerable applications also include Microsoft Lync 2013 and 2010, Live Meeting 2007, and Microsoft Office 2007 and 2010. The update corrects the processing of fonts and objects in memory. In addition, the process and kernel level are reworked.
Manipulated documents can also be dangerous if security update MS15-099 is not installed. Again, this is a critical RCE vulnerability in Office 2007, 2010, 2013 and 2013 RT. In the case of Microsoft Excel for Mac 2011 and 2016, as well as Microsoft SharePoint Foundation 2013 and SharePoint Server 2013, the risk is considered high.
Windows Journal also has RCE vulnerabilities that an attacker can exploit when a user opens a specially crafted journal file. All versions of Windows, with the exception of the Itanium editions of Windows Server, urgently need to be updated with the MS15-098 patch . A better analysis of the journal files should then provide a remedy.
The remaining seven vulnerabilities are all at least a high risk. The MS15-096 update is designed to prevent a denial of service through the Active Directory service. An RCE vulnerability in the Windows Media Center is patched with the Security Bulletin MS15-100 . With the security bulletin MS15-103 Microsoft prevents unintentionally disclosing information via the Exchange server.
The patches MS15-101 , MS15-102 and MS15-104 are intended to prevent user rights from being increased unintentionally. Vulnerable in these cases are the .NET Framework, Windows Task Management and Skype for Business Server and Lync Server. The security bulletin MS15-105 remains - this addresses a vulnerability that allows in a virtualized Hyper-V environment to bypass isolated security features.
