Researchers from FireEye, HP, Trend Micro, and Verisign, among others, were recognised by Microsoft for discovering the flaw.
Advertisement
MS15-107 is the cumulative patch for Microsoft Edge.
Microsoft’s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. “This is the first time in 2015 that Microsoft has not reported detected exploitation for any bulletin”.
The vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2.
Microsoft Windows server software is also susceptible to the flaw but not as severely due to its enhanced security mode.
MS15-106 addresses a flaw in how Internet Explorer handles objects in memory, said Microsoft. “An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheet is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors”.
The remaining critical bulletin patches a remote code execution vulnerability in Windows Shell. Still, three of the six updates are rated as Critical and contain remote code execution vulnerabilities that affect a broad range of platforms and applications across the Microsoft ecosystem.
Just like all the other patches, this one is shipped via Windows Update, so if you have this option turned on, then you don’t have to do anything else.
According to the bulletins, none of the vulnerabilities have been publicly disclosed or are being exploited. There are only six new security bulletins this month from Microsoft, and only three of them are rated as Critical by Microsoft, but the potential scope and impact of the underlying vulnerabilities has security experts stressing the importance of applying the updates sooner rather than later.
It addresses the vulnerabilities caused by the remote code execution flaw by modifying how Internet Explorer handles objects in memory and modifying how Internet Explorer, JScript and VBScript handle objects in memory.
Microsoft has issued a “critical” patch for every supported version of Windows that allows attackers remotely control just about any version of Windows, ranging from Windows Vista to Windows 10, just by serving you a specially crafted malware laden web page.
Advertisement
One of the vulnerabilities in Internet Explorer versions 7, 8, 9, 10 and 11 (the last one is the one installed in both Windows 10 for 32-bit and 64-bit systems), allowed an attacker to execute remote code on the victim’s computer by luring them onto a specially crafted web site using Internet Explorer.
