Microsoft patches Windows, IE, Office, SharePoint

This month Microsoft has released 14 new bulletins, 5 of which are rated as Critical, 9 as Important.

As a déjà vu from last month, a critical remote code execution vulnerability (MS15-018) affecting all supported Internet Explorer versions (6-11) is being patched, which addresses 12 CVEs. The patch addresses issues with Internet Explorer’s memory management that could allow the remote corruption of memory and result in the execution of malicious code as the current user. As always users should be mindful of phishing campaigns that may attempt to leverage this vulnerability.

Also released this month is MS15-022, a remote execution vulnerability in a cross platform component of Office. This affects all supported versions of MS Office, docx/xls viewers, SharePoint and Office Web Apps.

Bundled into this bulletin is a fix for a set of cross site scripting (XSS) vulnerabilities, namely CVE-2015-1633 and CVE-2015-1636, applying these fixes will likely be the most time consuming patch for administrators as it may require a restart of critical SharePoint infrastructure systems.

MS15-026 is a XSS vulnerability in OWA enabling a privilege escalation attack and affects all editions of Exchange Server 2013; its severity is listed as “Important” and doesn’t require a system restart. Hopefully this will translate to a quick win for administrators as this patch contains only fixes for the issue being addressed and doesn’t bundle in additional enhancements.

Microsoft has released update 3044132 as an enhancement to security advisory 2755801 which further addresses issues in Adobe Flash affecting Internet Explorer 10 and 11, further details will be provided in Adobe’s Security bulletin APSB15-05 which in scheduled for release on March 12th.

Author: David Picotte, manager of security engineering at Rapid7.