14 DAY TRIAL // As part of this month’s Patch Tuesday rollout, Microsoft has released a total of 11 security bulletins, four of them being rated as critical and affecting software such as Windows, Office, and Internet Explorer.
Needless to say, IT administrators and users are recommended to prioritize the deployment of the four critical patches as follows: MS15-033, MS15-034, APS15-06 (Flash update), and MS15-032.
For Windows users, the most important patch is MS15-034, an RCE type vulnerability for servers that also affects new versions of Windows, including Windows 7 and 8.
Wolfgang Kandek, CTO of Qualys, says that this should be considered a top vulnerability for server administrators “if you run Windows based web servers on the Internet,” but Microsoft itself is urging everyone to install it as soon as possible.
“An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code. The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching,” Kandek stresses.
Internet Explorer getting patched too
Also very important for Windows users is MS15-032, which fixes no more, no less than 10 vulnerabilities in the browser, nine of which are considered to be critical.
Absolutely all Internet Explorer versions are affected, starting with IE6 (which no longer receives updates) and ending with IE11, which is installed on Windows 8.1 by default.
Once the user opens a malicious webpage, cybercriminals could get control of an unpatched system, having the same user rights as the logged-in account. This is obviously critical on computers with administrator privileges, so again Microsoft urges everyone to deploy it as soon as possible.
Needless to say, all today’s patches are being shipped via Windows Update and some require a reboot, so IT admins should be prepared to restart their machines before anything else.