Microsoft has just released the patches for March 2015. The details are available at https://technet.microsoft.com/library/security/ms15-mar
. There are a total of fourteen patches released for March and are identified as MS15-018 through MS15-031; five of which are identified as CRITICAL. The critical patches apply to the majority of Microsoft products including: Windows, Internet Explorer, Microsoft Office and also server software. The critical patches could allow remote code execution if successfully exploited.
There are a total of twelve patches for Internet Explorer. As is normally the case, they are identified as CRITICAL for workstation operating systems and MODERATE for Server operating systems. As of March 10, only one of the Internet Explorer vulnerabilities has been publically disclosed. And while the vulnerability has been identified as being actively exploited, it is an elevation of privilege vulnerability as opposed to remote code execution.
Critical patches apply to the following products
One for VBScript scripting engine – https://technet.microsoft.com/library/security/MS15-019 (which in some cases also includes VBscript under Internet Explorer)
Windows Text services https://technet.microsoft.com/library/security/MS15-020 (identified as CRITICAL for both server and workstation OSs)
Eight for Adobe font driver – https://technet.microsoft.com/library/security/MS15-021
Five for Microsoft Office – https://technet.microsoft.com/library/security/MS15-022 (two of which are elevation of privilege exploits)
Important patches apply to the following products
One for Windows Kernel mode drivers – https://technet.microsoft.com/library/security/MS15-023
One for processing of PNG images – https://technet.microsoft.com/library/security/MS15-024
One for Windows Kernel – https://technet.microsoft.com/library/security/MS15-025
One for Microsoft Exchange server – https://technet.microsoft.com/library/security/MS15-026
One for Windows NETLOGON – https://technet.microsoft.com/library/security/MS15-027
One for Windows task scheduler – https://technet.microsoft.com/library/security/MS15-028
One for Windows photo decoder – https://technet.microsoft.com/library/security/MS15-029 (information disclosure as opposed to elevation of privilege)
One for Windows remote desktop – https://technet.microsoft.com/library/security/MS15-030 (denial of service)
One for Windows Schannel – https://technet.microsoft.com/library/security/MS15-031 (FREAK attack for TLS key length downgrade).
Vendor supplied details indicate that at least seven of the Internet Explorer vulnerabilities are likely to be successfully exploited regardless of which version of Internet explorer is used.
Vendor supplied details regarding https://technet.microsoft.com/library/security/MS15-019 indicate successful exploitation is possible on older versions of Windows.
With the exception of MS Office, Office Web apps and SharePoint implementations identified in https://technet.microsoft.com/library/security/MS15-022 , vendor supplied details on the majority of the remaining bulletins indicate success exploitation is less or unlikely.
Note: MS15-022 is classified as IMPORTANT for 2007 thorough 2013 SharePoint implementations.
To minimize the exposure for web browsers, the AgriLife IT ISO recommendation is that all Windows workstations be patch for the Internet Explorer vulnerability as soon as possible.
It is also recommended that implementations of Windows Server operating systems be patched as soon as possible for the vulnerabilities identified in MS15-020 at a minimum. Additionally, if you have Microsoft server systems that provide MS-Office or Office Web apps, they should also be patched to address the vulnerabilities identified in MS15-022.
It should also be noted that Microsoft previously released a patch for Schannel in November 2014. It is identified as https://technet.microsoft.com/library/security/ms14-066 . It is recommended that this patch be applied immediately if it has not been already applied. The patch was originally removed following problems on some Vista and Server 2008 systems. It was rereleased on approximately December 9 and no problems have since been identified.