icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

September 2015 Patch Tuesday: More critical Microsoft Office fixes

Microsoft's September 2015 Patch Tuesday is available now and includes five critical bulletins, two of which tackle remote code execution flaws affecting Microsoft Office.

Microsoft's September 2015 Patch Tuesday fixes, released today, include 12 total bulletins, five of which target critical remote code execution vulnerabilities in various products.

The top of the list, according to experts, are critical bulletins that affect Microsoft Office. MS15-097 details vulnerabilities in the Microsoft Graphics Component, which could allow remote code execution (RCE) if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

The most serious patch is for a Graphics Component buffer overflow vulnerability (CVE-2015-2510) that is rated critical for Microsoft Lync, Office 2007 and 2010, as well as Windows Vista and Server 2008. The flaw is in how the Windows Adobe Type Manager Library handles OpenType fonts. It could be exploited by convincing a user to open a specially crafted document or to visit an untrusted webpage that contains embedded OpenType fonts. Microsoft notes that a successful exploit would allow an attacker to install programs; view, change or delete data; and create new accounts, with full user rights.

Craig Young, computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, based in Portland, Ore., said this bulletin should serve as a warning about upgrading systems.

"[This vulnerability] would have no security impact [on] Windows 7 or later systems," Young said. "Although Microsoft does not provide a technical reason for this, it seems likely that general security hardening in the newer platforms blocked this attack vector before it was even known, giving yet another reason for administrators to not only stay up to date with patches, but also to maintain a current-generation operating system."

MS15-099 is another bulletin for an RCE vulnerability that affects all supported versions of Microsoft Office. The most critical flaw in this bulletin is for a vulnerability that could be exploited if a user is convinced to open a malformed EPS image file. Microsoft said most vectors for exploit require a user to open a specially crafted file, but Wolfgang Kandek, CTO at Qualys Inc., based in Redwood City, Calif., said that can be done easily.

"Attackers would typically trick users into opening these files by disguising them as something harmless and interesting," Kandek noted, "say, a resume for an open position listed on your site, an article about a subject that is interesting to you, or an offer for a free membership or other benefits to some of your users."

Young agreed that the ease of delivery for an exploit of this vulnerability means organizations should make it a point to educate users about these risks.

New issues are always being disclosed and fixed, but it is likely that this is just the tip of a very large iceberg, with perhaps far more vulnerabilities being quietly exploited without public disclosure.
Craig Youngcomputer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team

"In general, MS15-099 should serve as a reminder to users not to use caution when opening documents received via email or downloaded from the Web," Young said. "The file formats processed by Microsoft Office tools and similar programs are so complex that there is, quite literally, a never-ending stack of vulnerabilities. New issues are always being disclosed and fixed, but it is likely that this is just the tip of a very large iceberg, with perhaps far more vulnerabilities being quietly exploited without public disclosure."

As is expected in each Patch Tuesday release, there is a bulletin for the various fixes released for Internet Explorer (MS15-094), but now, there is also a bulletin for the new Microsoft Edge browser (MS15-095) for those using Windows 10. The critical vulnerabilities in Edge are also included in the IE patches, and all vulnerabilities are rated as critical RCE flaws on supported Windows clients. However, those same vulnerabilities in IE are only rated as moderate on Windows Server, because IE runs in an Enhanced Security Configuration restricted mode by default, which mitigates some risk.

The final critical bulletin (MS15-096) covers a Windows Journal flaw that could allow for remote code execution if a user were to open a specially crafted Journal file. The flaw affects all supported versions of Windows, but experts noted that Journal is not used by many, so this bulletin is only a high priority for organizations using Windows Journal.

Experts noted two bulletins labeled as important should be kept in mind for enterprises running Active Directory (MS15-096) or Outlook Web Access features of Exchange server (MS15-103). The Active Directory flaw could allow denial of service if an authenticated attacker creates multiple machine accounts, but Microsoft said an attacker must have an account that has privileges to join machines to the domain in order to exploit this vulnerability. The Exchange Server vulnerability could allow information disclosure if Outlook Web Access fails to properly handle Web requests, as well as sanitize user input and email content.

Besides the Microsoft Office fixes and other critical patches, the remaining bulletins -- MS15-100MS15-101MS15-102, MS15-104 and MS15-105 -- address vulnerabilities in Windows Media Center, .NET, Windows Task Manager, Skype for Business and Hyper-V. The potential exploit impact of each includes remote code execution, elevation of privilege, information disclosure and security bypass. But all are rated important, meaning they can only be abused if the attacker is already on the machine.

Next Steps

Catch up on the August 2015 Patch Tuesday news here

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Which patch is most important for your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close