No zero-day flaws to be fixed in Microsoft’s latest security update, but critical fixes should be implemented ASAP
The Patch Tuesday update for October is the first update this year from Microsoft that does not feature a patch for a zero day exploit, although 19 vulnerabilities have been tackled.
And the relatively light load of patches this month will no doubt please systems administrators, but 2015 has so far seen a record number of patches as the threat landscape worsens.
“Its official, a record has been set for the most bulletins released by Microsoft in a single year,” said Tyler Reguly, manager of security research at Tripwire. “In 2013, we saw 106 bulletins released, this month we hit 111 for 2015 and we still have two Patch Tuesdays left.”
Half of the vulnerabilities are critical, and according to Tripwire, all of the Critical bulletins (MS15-106, MS15-108, MS15-109) are remote code execution issues affecting Internet Explorer, the Edge browser, VBScript & JScript Engines, Windows Shell, Office, Office Services and apps, as well as Microsoft Server Software.
“Network administrators should be relieved this month to learn that none of the vulnerabilities being patched are remotely exploitable,” said Craig Young, security researcher at Tripwire. “This is a pretty standard mix of web and file format vulnerabilities requiring some degree of user interaction or user error. But with users being the biggest risk to a corporate network, these patches should be deployed without undue delay.
“This month’s updates are pretty ho-hum, we’ve got a list of entirely typical updates. Given that this month is so light, it’ll be interesting to see what November has in store for us,” added Reguly. “That said, sys admins shouldn’t take the light month to mean they can sit back and take a break. We still have a number of vulnerabilities that should be patched, so updates should be applied following regular schedules.”
Light, But Important
Qualys CTO Wolfgang Kandek also backed up the point about the necessity for system admins to be diligent in their patching.
“October’s patch bulletin maybe a light edition but pretty much everyone is affected this month as most versions of Internet Explorer, Windows and Office are at risk – and many of the vulnerabilities identified could lead to Remote Code Execution,” said Kandek.
Kandek said thathighest priority patch is for Internet Explorer (MS15-106), which brings 15 fixes, nine are critical and could lead to RCE. The second most important fix is MS15-110, which addresses six issues in Office (mostly Excel) with five resulting in RCE
Other important patches are MS15-109, which tackles a vulnerability in Windows shell, and MS15-107 and MS15-108, which are related to the Internet Explorer bulletin.
What do you know about Windows 10? Try our quiz!