carloscastilla - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

October Patch Tuesday: The first of 2015 with no zero-day exploits

Microsoft's October 2015 Patch Tuesday has the fewest number of bulletins of any release this year, and is also the first of the year to not feature any patches related to zero-day exploits.

Microsoft released its October 2015 Patch Tuesday fixes today and it is substantially lighter than the usual patch release, featuring just six bulletins -- three of which are marked as critical.

The light Patch Tuesday has come a bit too late, as experts noted the 111 bulletins from Microsoft this year marks a new record for patches, with two months left to go. Craig Young, computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, based in Portland, Ore., said this month was also special because none of the vulnerabilities patched had known zero-day exploits.

"Network administrators should be relieved this month to learn that none of the vulnerabilities being patched are remotely exploitable," Young said. "This is a pretty standard mix of Web and file format vulnerabilities, requiring some degree of user interaction or user error. It is also worth noting that there is no indication of any of the patched vulnerabilities being exploited prior to Patch Tuesday. This is the first time in 2015 that Microsoft has not reported detected exploitation for any bulletin."

MS15-106 is the Internet Explorer bulletin for October and includes patches for critical vulnerabilities that can allow for remote code execution (RCE) if a user views a specially crafted webpage. This critical bulletin affects IE versions 7 and up on Windows Vista, Windows 7, Windows 8/8.1 and Windows 10. Windows Server 2008 and 2012 are also affected, but the vulnerabilities are rated as moderate because of the restricted mode in which IE runs on those systems.

Wolfgang Kandek, CTO at Qualys Inc., based in Redwood City, Calif., said that the second most important bulletin this month is actually one that Microsoft rated as important, not critical: MS15-110. Kandek wrote in his blog that this may require user input for a successful exploit, but a bit of social engineering could make that easier for attackers.

"It addresses six issues in Office (mostly Excel), with five resulting in remote code execution," Kandek wrote. "An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheets is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors. (I get about one email a week offering this type of information.)"

This bulletin also includes a vulnerability (CVE-2015-6039), which affects Microsoft SharePoint, that has been publicly disclosed; although there have been no reported exploits, experts do suggest patching as quickly as possible.

MS15-109 covers vulnerabilities in the Windows Shell, which could allow RCE through the use of specially crafted online content. The vulnerabilities affect all supported versions of Windows and Kandek said the patch should be at the top of the list for enterprises.

The last critical bulletin of the month is MS15-108, which includes patches for vulnerabilities in the VBScript and JScript scripting engines in Microsoft Windows. The most severe vulnerabilities could allow RCE attacks via specially crafted websites, or an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document to direct users to the malicious website.

These vulnerabilities have a slightly smaller attack surface, as they only affect Windows Vista and Windows Server 2008. But Bobby Kuzma, systems engineer for Boston-based Core Security, said this type of vulnerability may call for more aggressive mitigation from Microsoft.

"With the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely," Kuzma said. "Unfortunately, that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide."

Lower on the importance scale are two bulletins that do not include critical patches: MS15-107, a bulletin for Microsoft's new Edge browser in Windows 10 that could allow for information disclosure; and MS15-111, a patch for the Windows kernel in all supported versions of Windows that could allow for elevation of privilege if successfully exploited.

Next Steps

Catch up on the September 2015 Patch Tuesday news here.

Learn why Internet Explorer security is such a challenge.

Dig Deeper on Microsoft Patch Tuesday and patch management