The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm. If you are a consumer, you will receive this update as part of the Windows 10 update process.
Advertisement
The move is timely as the industry continues to move away from weakened encryption. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.
There are only six new security bulletins this month from Microsoft, and only three of them are rated as Critical by Microsoft, but the potential scope and impact of the underlying vulnerabilities has security experts stressing the importance of applying the updates sooner rather than later. While the flaws are the same, the scope is a bit smaller, with only Windows Vista and Windows Server 2008 being affected.
While Microsoft has discussed that the end of the company’s traditional monthly security update release is on the horizon, this month it’s business as usual. “The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is created to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website”.
“With the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely”, Kuzma said. Home windows Server 2008 and 2012 are additionally affected, however the vulnerabilities are rated as average due to the restricted mode wherein Web Explorer runs on these techniques. One outlines 56 critical vulnerabilities affecting Acrobat and Reader that could allow attackers to gain remote access to a system. In other words, much of the Microsoft ecosystem is vulnerable to these remote code execution flaws.
MS15-111 is for all versions of Windows as it patches Windows kernel to prevent elevation of privilege. Craig Young, computer security researcher with Tripwire Inc.’s Vulnerability and Exposures Research Team, based in Portland, Ore., said this month was also special because none of the vulnerabilities patched had known zero day exploits.
The patch modifies how IE, JScript and VBScript deal with objects in reminiscence, and provides further permission validations to IE, Microsoft mentioned.
Advertisement
The penultimate update for October is MS15-110, which attempts to address six vulnerabilities in Microsoft Office (PC versions 2007 to 2013, and 2011 to 2016 for Mac) that could lead to remote code execution scenario.
