frenta - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

May 2015 Patch Tuesday isn't all about critical patches, experts say

Microsoft's May 2015 Patch Tuesday has made 2015 this biggest year for patches through the first five months and is highlighted by two non-critical patches, according to experts.

Microsoft released its May 2015 Patch Tuesday fixes today. Three of the patches are rated as critical and another 10 are rated as important. Experts say the critical patch for Internet Explorer and non-critical patches for Microsoft Office and SharePoint should be top priority for enterprise.

According to Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., none of the vulnerabilities are as severe as what was patched in the April 2015 release, but they do still require attention from enterprises.

"In general all of these flaws expose enterprises to attacks driven by social engineering campaigns, malvertising, and watering hole attacks," Young said. "Admins will be relieved however to see that there is nothing on par with the recently exposed HTTP.sys code execution bug or other prevalent remotely available services."

Wofgang Kandek, chief technology officer for security vendor Qualys Inc., based in Redwood Shores, Calif., noted in a blog post that the 13 patches in this release brings the total for the year to 53 which is the highest total through May of any of the past five years.

"I cannot remember a similarly active year," Kandek said. "Our internal tracking of vulnerability numbers now projects north of 140 advisories for this year, certainly also a new record."

MS15-043 is the cumulative Internet Explorer patch for the month and includes fixes for vulnerabilities in IE versions 6 through 11 running on Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Vista, Windows 7, and Windows 8/8.1.

This cumulative patch fixes 22 total vulnerabilities, 14 of which Microsoft rates as critical with the potential for remote code execution. Kandek rates this patch as the most important of the month because Internet Explorer has consistently proven to be a favorite attack vector.

"You should be prepared to install these updates as quickly as possible," Kandek said. "Attackers have a variety of techniques in their arsenal to do so including attacking common blogging and forum software to gain control over the website and then include links to the malicious pages. A good example is the SoakSoak campaign. Recent vulnerabilities in this class have been in the Magento ecommerce engine and in Wordpress CMS."

MS15-046 is not rated as critical by Microsoft, but Kandek suggests that enterprises take care to prioritize it. The patch fixes a vulnerability in Microsoft Word and Excel that could allow for remote code execution.

"It addresses RCE file format vulnerabilities in both Word and Excel that attackers could use to gain control over your user's machines," Kandek said. "Both have as the attack vector e-mail attached documents that get sent to your user's e-mail account in the expectation the documents get opened by their recipients."

MS15-044 addresses critical vulnerabilities in Microsoft Font Drivers that affects Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight, as well as Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows Vista, Windows 7, and Windows 8/8.1.

The more severe vulnerability is found in TrueType Font Parsing (CVE-2015-1671) and Microsoft says this could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

MS15-045 is the last patch rated as critical and addresses a vulnerability in Microsoft Journal that could allow remote code execution if a user opens a specially crafted Journal file. Microsoft did note that users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Kandek said this patch may be rated as critical and should be applied quickly, but also suggested that system admins consider disabling Windows Journal because it isn't very popular software.

"I do not know anybody who uses Windows Journal," Kandek said, "so I would recommend following the workaround described in the advisory and neutering the file description '.jnl' to counter this and future attacks on this software."

This vulnerability affects Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

MS15-047 is also rated as important by Microsoft, but carries the potential for remote code execution through a vulnerability in Microsoft SharePoint Server. Young said that the criticality may not be high, but enterprises with sites allowing access to untrusted users should make this a priority.

"While the SharePoint patch should certainly be applied, it is worth noting that Microsoft is indicating that this one is less likely for exploitation in the immediate future, and that it will only gain an attacker execution in the context of the W3WP service account," Young said. "Combined with some of the other vulnerabilities exposed this month however this could be used as a stepping stone to elevate access on the compromised system or distribute malicious content to users of the SharePoint server."

The remaining eight patches are all rated as important by Microsoft and can lead to various results including elevation of privilege, security feature bypass, denial of service, and information disclosure. The Microsoft products involved include .NET Framework, Silverlight, Kernel-Mode Drivers, and schannel.

Adobe patches

Adobe has also released patches for 34 vulnerabilities in Acrobat X, Acrobat XI, Reader X, and Reader XI. The patches are rated as critical and resolve issues including use-after-free vulnerabilities, heap-based buffer overflow vulnerabilities, a buffer overflow vulnerability, and memory corruption, all of which could lead to code execution.

Young said the patch to vulnerabilities related to bypassing restrictions in JavaScipt API execution should be of high note because of how they can be used in exploiting other vulnerabilities.

"With 14 flaws related to bypassing restrictions on the JavaScript API, I expect that some attackers are having a field day leveraging the JavaScript bypasses for easier exploitation of the 10 memory corruption bugs also being fixed," Young said. "As with browser based exploits, the ability to execute JavaScript code gives attackers an edge at getting specific memory arrangements required for reliable exploitation of memory corruption bugs."

Next Steps

Catch up on the April 2015 Patch Tuesday news here.

Dig Deeper on Microsoft Patch Tuesday and patch management