Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 6 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-638 on Wednesday, October 14th.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS15-107 MS15-106
MS15-108

MS15-109
MS15-110 MS15-111
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS15-106

Multiple Internet Explorer Memory Corruption Vulnerabilities MULTIPLE
Multiple Scripting Engine Memory Corruption Vulnerabilities MULTIPLE
Multiple Internet Explorer Elevation of Privilege Vulnerabilities MULTIPLE
Multiple Internet Explorer Information Disclosure Vulnerabilities MULTIPLE
VBScript and JScript ASLR Bypass CVE-2015-6052
Scripting Engine Information Disclosure Vulnerability CVE-2015-6059

MS15-107

Microsoft Edge Information Disclosure Vulnerability CVE-2015-6057
Microsoft Edge XSS Filter Bypass CVE-2015-6058

MS15-108

Scripting Engine Memory Corruption Vulnerability CVE-2015-2482
VBScript and JScript ASLR Bypass CVE-2015-6052
Scripting Engine Memory Corruption Vulnerability CVE-2015-6055
Scripting Engine Information Disclosure Vulnerability CVE-2015-6059

MS15-109

Toolbar Use After Free Vulnerability CVE-2015-2515
Microsoft Tablet Input Band Use After Free Vulnerability CVE-2015-2548

MS15-110

Microsoft SharePoint Information Disclosure Vulnerability CVE-2015-2556
Microsoft SharePoint Security Feature Bypass CVE-2015-6039
Microsoft Office Web Apps XSS Spoofing Vulnerability CVE-2015-6037
Multiple Microsoft Office Memory Corruption Vulnerabilities MULTIPLE

MS15-111

Multiple Windows Kernel Elevation of Privilege Vulnerabilities MULTIPLE
Trusted Boot Security Feature Bypass Vulnerability CVE-2015-2552
Windows Mount Point Elevation of Privilege Vulnerability CVE-2015-2553

MS15-106

This month starts like every other month… with a critical update for Internet Explorer. As people are looking at which IE patches apply to their environment, it’s probably a good time to start reminding everyone that the support policy for IE changes in January 2016. The good news that comes with this month’s IE update is that none of the vulnerabilities are known to have been exploited yet, however, one of them was publicly disclosed.

MS15-107

Along side every Internet Explorer update, we also have an Edge update now that we have two browsers. This month, however, there’s no overlap in the CVEs; each product contains unique vulnerabilities.

MS15-108

Up next, we have 4 vulnerabilities affecting VBScript and JScript. All of these vulnerabilities appear in both MS15-108 and MS15-106. Both advisory pages include a table helping you determine which of the updates apply to your system.

MS15-109

There are two vulnerabilities resolved in the bulletin entitled ‘Security Update for Windows Shell’; one fixes the Tablet Input Band and the other resolves an issue with toolbar objects. It’s important to note that the Tablet Input Band vulnerability could be exploited via Internet Explorer.

MS15-110

The penultimate bulletin this month addresses a number of Office related vulnerabilities. Its important to note that there are updates included for Office (including Office 2016), SharePoint, and Office WebApps. Excel is the targeted product for most of these patches.

MS15-111

The final update this month covers a series of vulnerabilities related to the Windows Kernel. This includes an issue with Windows Mount Point, a bypass for Trusted Boot, and a number of elevation of privilege issues. The Trusted Boot bypass has been publicly disclosed but, according to Microsoft, there are no current attacks targeting the issue.

Additional Details

Adobe has released APSB15-24 to address multiple vulnerabilities in Adobe Reader and Acrobat and APSB15-25 to address multiple vulnerabilities in Adobe Flash Player.

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.