Patch Tuesday Tackles Windows 10 Fixes

Microsoft welcomes its newest operating system, Windows 10, to its Patch Tuesday update cycle

Microsoft’s Patch Tuesday update for August includes fixes for a number of its products including Office and Internet Explorer.

The security update has also included for the first time Windows 10, which has been the most successful launch for Microsoft in terms of migrations to a new OS. That said, nearly half of its 14 security bulletins address vulnerabilities in Windows 10.

Windows 10

For August, Microsoft issued 14 bulletins that fixes 52 bugs across most versions of Windows, Windows Server, Internet Explorer and Office.

The fact that 40 percent of the fixes apply to Windows 10, compared to 60 percent of fixes applied to Windows 8 during its first two months of life, suggests Microsoft has done a better job to tighten things up with its new OS.

“It’s Windows 10’s first Patch Tuesday and 40 percent of the August bulletins for generic Windows apply to the newest version of the operating system,” said Qualys CTO Wolfgang Kandek. “Windows 10 fares a bit better than Windows 8, which had 60 percent in its first two months, where three out of five bulletins were applicable. In addition, there’s an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities.”

As Kandek mentioned, three bulletins are rated critical, and one the most important of these is MS15-079, which tackles 13 vulnerabilities in Internet Explorer. But another critical bulletin MS15-081 addresses Microsoft Office, and that flaw could also give an attacker control over the targeted machine.

MS15-085 meanwhile tackled zero-day vulnerability in the Mount Manager of Windows.

According to Qualys’s Kandek, it is triggered through a USB stick that gets inserted into the machine and can be used to run code on the target machine. He warned that public exploitation has been detected, and this is a high priority update for all machines not in controlled environments.

“August’s Patch Tuesday releases are full of scary sounding bulletins like ‘Vulnerability in Mount Manager Could Allow Elevation of Privilege’ and ‘Vulnerabilities in RDP Could Allow Remote Code Execution,’ but when reviewing the details it becomes clear that they are nowhere near as serious as they might sound,” said Craig Young, security researcher at Tripwire.

“The ‘remote’ execution flaws described in MS15-082 are only possible if the attacker already has access to get a DLL file loaded into the victim’s current working directory and then loads a .RDP file,” said Young. “ While this could certainly be exploited in the wild, it will require some level of user interaction for a successful attack.”

Edge Fix

“This Patch Tuesday is a month of firsts, more than people may initially realise,” added Tyler Reguly, manager of security research at Tripwire.

“This is the first Patch Tuesday: without Windows Server 2003, with a Windows 10 patch as previous patches were included in re-releases, with a Windows System Center 2012 Operations Manager bulletin and with Edge updates,” said Reguly.

Microsoft confirmed in late March that Project Spartan (or Edge as it is now called) would be included in Windows 10.

It ran a generous bug bounty program that offered rewards of between $500 and $15,000 to anyone discovering flaw in the browser during the summer.

What do you know about Windows 10? Try our quiz!