Microsoft has issued its monthly batch of security patches, which contains updates for forty-six vulnerabilities for Windows, IE, and Office.
Three of the patches have been marked as critical and ten as important. The critical ones MS15-043, MS15-044 and MS15-045 address remote code execution flaws in Windows, Office, IE, Microsoft Lync, Microsoft’s .NET framework and Silverlight.
MS15-043 alone fixes twenty-two bugs in IE, fourteen of which are flagged as critical, according to an email by Wolfgang Kandek with the security firm Qualys.
Such critical vulnerabilities in Internet Explorer permit cyber criminals to execute arbitrary code on the affected machine in case the PC user visits a corrupt web page. Needless to say, attackers, rely on a variety of methods to achieve this.
The good news is that not all vulnerabilities of this type are being exploited by hackers. Research shows that in 2014 only 5% of them were exploited in actual attacks.
What experts find most challenging is predicting which 5% would be targeted.
MS15-044 addresses two flaws in a font parsing library that is used in a number of Microsoft products. Cyber criminals can easily exploit them by embedding a specifically designed font in web pages or documents. Kandek’s appeal is to patch these vulnerabilities as soon as possible. He explains that attackers now are significantly quicker than before in adopting exploits for commonly used programs.
Corporate users should also learn to patch in a quick manner because Microsoft is about to issue the updates for Windows 10 the moment they are done and not on a fixed schedule.
A new service, Windows Update for Business will give companies the option to delay the process for some systems.
It is a well-known fact that attackers can reverse engineer patches in order to discover the bugs and find a way to exploit them, so companies should not delay patches for an extended period.