Patch Tuesday Delivers Critical Repairs To Office, Windows

Microsoft releases large security update, reflecting the growing volume of patches from all vendors in 2015

Microsoft’s security team remains busy after Redmond delivered another large Patch Tuesday update for the month of April, with 11 bulletins addressing 26 vulnerabilities.

It comes after last month’s large security update that delivered 14 bulletins, covering 43 vulnerabilities, including a patch for a legacy encryption flaw dubbed FREAK.

Growing Volume

The high volume of patches so far in 2015 was noted by Wolfgang Kande, CTO of Qualys in a blog posting.

“April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities,” blogged Kande. “The vulnerabilities affect Windows and Office on both servers and workstations.”

microsoft-patch-lHe noted that software from Oracle, Adobe, Mozilla and Google Chrome is also having to be patched as a result of last month’s PWN2OWN competition in Vancouver, making it a busy time for security teams and system administrators.

“Every defensive IT security professional will have their work doubled this month,” wrote Kande.

Microsoft has published 11 bulletins (MS15-032 to MS15-042) in April, with four of them critical. According to Kande, the number one priority to patch is MS15-033, the Office bulletin, as it resolves five Remote Code Execution (RCE) vulnerabilities, including a 0-day flaw.

“CVE-2015-1641 is that 0-day and is currently under limited attacks in the wild on Word 2010,” wrote Kande. “It applies equally to Word 2007, 2012 and even to Word 2011 on the Mac. The exploit requires the user to open a malicious file. This is a very low security barrier at most organisations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an email with the malicious file attached or linked. If the email is worded well, click/opening rates over 10 percent are guaranteed.”

Kande’s number two patch is MS15-034, an RCE type vulnerability that is especially important if an organisation runs Windows based web servers on the Internet. “The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8,” Kande noted.

Other important bulletins is MS15-032, the update for Internet Explorer. Microsoft confirmed last month that the next version of Windows will not feature the traditional Internet Explorer browser, but instead the newly-developed ‘Project Spartan’ browser.

Other Vendors

In the meantime, the MS15-032 bulletin addresses 10 vulnerabilities, nine rated critical. All version of Internet Explorer from IE6 on Windows 2003 to IE11 on the latest Windows 8.1 are affected.

Kande’s last critical bulletin is MS15-035, which resolves a vulnerability in the EMF graphics format.

“The remaining bulletins are of lower severity covering vulnerabilities in Windows, Sharepoint and .NET and Hyper-V,” noted Kande. “They should be addressed within your normal patch cycle.”

He then went on to remind system administrators to watch out for a large patch set from Oracle, that deals with 100 vulnerabilities. Adobe, Google, and Mozilla are also readying their own security updates.

Are you a security pro? Try our quiz!