The Microsoft Patchday in October 2015 is relatively quiet. Critical updates are rolled out for Internet Explorer, the script modules JScript and VBScript, and the Windows shell. A total of six security bulletins were published.
The cumulative security update MS15-106 powered Internet Explorer (IE) by October Patchday 2015. The most serious vulnerabilities in the Microsoft browser once again allow code to be injected and executed from outside on vulnerable computers (Remote Code Execution, RCE).
In order to achieve this, the attacker has to make his victim open a manipulated website with Internet Explorer. All browser versions, ranging from IE 7 to IE 11 are affected. On client operating systems such as Windows 7 and 10, the update is considered critical; server operating systems are at medium risk.
The Edge browser introduced with Windows 10 also has vulnerabilities, but these seem to be of a different nature. At the very least, in the worst case, the software will only disclose information undesirably when the user opens a website designed for it. The threat risk was rated "high" by Microsoft, the patch package MS15-107 should solve the problems.Other critical vulnerabilities were found in JScript and VBScript. One of the vulnerabilities compromises memory and can thus also lead to RCE. The security bulletin MS15-108 , which adjusts the script module versions 5.7 and 5.8 in Internet Explorer 7 and 8, if they are installed under Windows Vista or Windows Server 2008 and 2008 R2, can help .
An attack could either be through a specially crafted website or via a rigged online site that accepts or hosts user-provided content or advertisements. The attacker would have to tempt his victim to visit the website or underline him a special ActiveX control.
The third critical update MS15-109 is intended to fix problems with the Windows shell. Again, an RCE threatens if the user opens a specially crafted toolbar object in Windows or views appropriately targeted content on the Internet. Vulnerability is found in all supported versions of Windows.
There are still two update entries that should eliminate security problems with a high risk. Some of these can be found in various Excel and SharePoint components of MS Office, the security bulletin MS15-110 eliminates the vulnerabilities. The patch MS15-111 fills vulnerabilities in the Windows kernel, which may increase the user rights. In this regard, Microsoft asks all customers who use local or remote reporting to certify reporting to read security bulletin CVE-2015-2552 .
