In this month’s patch updates from Microsoft there’s a total of 11 bulletins – four Critical and seven Important – covering 26 separate vulnerabilities. I’m going to look at each of the four Critical updates in turn:
The first of the Critical updates from Microsoft, MS15-032, covers 10 separate vulnerabilities in Internet Explorer – nine of which are the most severe and can allow for remote code execution. However, there are two other Critical updates that you should be paying attention to – MS15-033 and MS15-034.
MS15-033 addresses five separate vulnerabilities in Microsoft Office, all of which could allow remote code execution. If that doesn’t encourage you to apply this patch, perhaps you should consider that one of the vulnerabilities within the update is currently being exploited in the wild. This is the only vulnerability in this month’s update that is known to be actively exploited.
The third Critical vulnerability has a CVSS of 10.0 from US-CERT, which is the highest rating possible. This patch should be your first priority above all others. Although the likelihood of this vulnerability being exploited is low it is a credible threat to your business and the potential damage it could cause is massive. The vulnerability can be exploited if an attacker sends a specially crafted HTTP request to an affected Windows system. Unlike the other Critical patches this month, MS15-034 requires no user interaction whatsoever, which makes it so dangerous.
The final Critical bulletin for April, like the first two this month, has a CVSS of 9.3. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.
The remaining Important bulletins address vulnerabilities that could allow elevation of privilege, bypassing security features, information disclosures, and denial of service vulnerabilities.
What is remote code execution?
In each month’s Patch Tuesday article I’ll break down patches and vulnerabilities that Microsoft has fixed, and one of the terms that crops up most often is ‘remote code execution’. A lot of the Critical patch updates are to fix flaws that could allow remote code execution.
When a vulnerability allows for remote code execution, it means there’s the possibility for an attacker to gain access to someone else’s PC, laptop, or device, and make changes to that device regardless of where the device is located geographically. However, more often than not an attacker would need to have a user open a specially crafted email, attachment, or visit a specially crafted website in order to exploit the vulnerability.
In the table below you’ll see the patch updates sorted by the most severe according to US-CERT, and not Microsoft. US-CERT independently reviews each month’s patches and gives it’s own 0 – 10 point rating based on how likely the vulnerability is to be exploited. Microsoft has only four categories; Critical, Important, Moderate, and Low.
Interestingly, in 2015 there have been no Moderate or Low rated patch updates from Microsoft, yet US-CERT suggests there’s been at least 16 that could be considered as Moderate or Low. That’s why we suggest that you take the time to review both Microsoft’s and US-CERT’s ratings before deploying patches. It will help you prioritise the patches that are most likely to affect your systems. For example, if your organisation relies heavily on Internet Explorer then you’d be advised to prioritise MS15-032, but, if your company uses Safari for Mac, then the likelihood of an Explorer vulnerability affecting you is much less likely.
Once you’ve prioritised your patches, I would always advise that you stage your roll out by testing and piloting the updates before deploying widely. This will help identify any compatibility issues. This should be done as standard each month, which is something we’ll always do for customers and MSPs through Verismic Cloud Management Suite.