Number: IRCNE2015032450
Date: 2015/03/16
According to “zdnet”, this month's Patch Tuesday is one of the biggest in recent memory, with 14 separate security-related updates going out via Microsoft's update channels. All but two of the updates are for Windows. (Depending on your OS, you'll find a large number of non-security-related updates as well. More details on those when I get them.)
Five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch.
Two of the fixes are for vulnerabilities that have already been publicly disclosed. The good news for Microsoft's Security Response team is that they've cleared all open issues from the Google Project Zero list.
MS15-018 is a Cumulative Security Update that addresses an even dozen vulnerabilities and affects all supported versions of Internet Explorer. It includes the fix for a cross-site scripting vulnerability that was publicly disclosed prior to February's Patch Tuesday but didn't make last month's fixes.
MS15-019 repairs a scripting vulnerability in some older Windows versions; it doesn't affect Windows 7 and later desktop versions or the equivalent server versions, Windows Server 2012 and 2012 R2.
MS15-020 fixes a flaw in the way Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files.
MS15-021 addresses an issue with the Adobe Font Driver. Both vulnerabilities could theoretically allow remote code execution, although Microsoft's summaries say that possibility is unlikely.
MS15-022 applies to all supported Microsoft Office versions (2007, 2010, and 2013), as well as the server-based Office Web Apps and SharePoint Server products. It fixes three known vulnerabilities in Office document formats as well as multiple cross-site scripting issues for SharePoint Server. The worst outcome allows remote code execution.
And then there's MS15-031, which fixes the widely publicized (and cross-platform) Schannel vulnerability, more popularly known as the FREAK technique. This update means Microsoft and Apple platforms are secured, while vulnerable Android versions have yet to be patched. (Update: It took about 36 hours extra, but this patch is now available for Internet Explorer in Windows 10 Technical Preview build 9926. It's reasonable to assume the fix will be built into the next preview release.)
Systems with Internet Explorer 11 (which includes all Windows 8.1 installations) are also receiving an update to the built-in Flash Player code. The security issues fixed by this update are addressed in a separate bulletin, not yet available from Adobe. Oh, and this month's update to the Malicious Software Removal Tool reportedly removes the unwanted Superfish certificate from Lenovo PCs.
- 4