After a year that saw 135 bulletins from Microsoft, the tech giant released 12 bulletins, eight of them critical, in the Final Patch Tuesday of 2015.
One of the bulletins addresses a zero-day vulnerability that is being used by attackers “to escalate privilege” in Windows, Wolfgang Kandek, CTO at Qualys, said in a Tuesday blog post.
Calling the release “about average, with maybe a bit more severity” than is typical, Kandek noted that Microsoft didn't provide additional information on MS15-135, which was released for the zero day found in the Windows kernel, but its severity gave it a top berth on the priority list of Qualys.
Chris Goettl, product manager with Shavlik, agreed, noting that Microsoft only rated the vulnerability as important but it should be treated as high-priority. “An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode,” he said in comments emailed to SCMagazine.com. “At that point, they could install programs, view, change or delete data or create new accounts with full user rights."
As with kernel updates, “thorough testing is highly recommended,” he said.
Three of the updates are aimed at browsers (MS15-124 - Internet Explorer, MS15-125 - Edge and MS15-126 - Javascript libraries in Vista and Windows Server 2008), and address an impressive 30 issues, some of which Kandek said were “critical leading to remote code election (RCE).”
Microsoft Office was also in the crosshairs – with MS115-131 pegged by the tech company as critical, “rare,” according to Kandek. He said “that a vector exists to abuse the vulnerability with no user interaction.” The bulletin takes aim at critical Outlook vulnerability CVE-2015-6172 “triggered by maliciously formatted e-mail message,” Kandek said. He recommended patching the vulnerability quickly because no reasonable workaround exists and Microsoft recommends turning off the preview pane, which Kandek said is “the digital equivalent of ‘Just don't do it.'”
Other critical vulnerabilities include a font handling issue in Windows Graphics system, addressed by MS15-128, and in Silverlight and Uniscribe, addressed by MS15-129 and MS15-130, respectively.
“MS15-128 and MS15-129 are a reminder of the wide attack surface exposed by Silverlight,” Craig Young, cybersecurity researcher for Tripwire, said in comments emailed to SCMagazine.com. “With malvertising on the rise, even reputable sites cannot always be assumed free from malicious content so patching these holes should be very high priority, along with the IE and Edge bulletins.” He advised that some administrators consider taking the further step of using "ad-blocking technology on corporate workstations.”