Microsoft has just released the patches for October. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms15-oct
There are a total of six bulletins being released. Three of the bulletins being patched are identified as CRITICAL and the remainder are classified as IMPORTANT. However, one of the bulletins classified as IMPORTANT by Microsoft (MS15-110) is identified as being CRITICAL by ISC.SANS.org (see below). Vulnerabilities being patched in bulletins MS15-106, MS15-108 through MS15-110 could allow remote code execution if successfully exploited. Additionally, MS15-109 is classified as CRITICAL even for Server core only installations of Microsoft Server operating systems.
Remote code execution exploits are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, or Information Disclosure.
The October bulletins are identified as MS15-106/MS15-111
CRITICAL patches for October
The CRITICAL vulnerabilities apply to Windows, Internet Explorer, Edge (Windows 10 browser), Office, Office Services and Web apps, and Microsoft Server software and could allow remote code execution if successfully exploited.
IMPORTANT bulletins apply to Windows 10 Edge and Windows Kernel.
MS15-106 – Internet Explorer – Remote Code Execution – CRITICAL
There are a total of fifteen vulnerabilities being patched in Internet Explorer (not all of which are designated as critical). Seven of the fifteen vulnerabilities would allow a critical remote code execution if successfully exploited (on workstations) and in some aspect, apply to all current supported versions of Internet Explorer.
As of this time, only one of the fifteen Internet Explorer Remote Code Execution vulnerabilities has been publicly disclosed. However, exploits of the vulnerability have yet to materialize.
Note: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.
MS15-107 – Windows 10 – Microsoft Edge – Remote Code Execution – IMPORTANT
There are two vulnerabilities being patched in the Edge web browser that ships with Windows 10. The vulnerabilities could allow information disclosure or the bypass of a security feature (cross site scripting filter – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6058 ) if successfully exploited on Windows 10 workstations. Notes from Microsoft indicate successful exploitation of these vulnerabilities are unlikely.
MS15-108 – JScript/VBScript scripting engines – Remote Code Execution – CRITICAL
There are four vulnerabilities being patched for version 5.8 of the JavaScript and Visual Basic Script scripting engine for Windows Server 2008 and Windows Vista. The vulnerabilities could allow remote code execution (for CVE-2015-2482 and CVE-2015-6055), Security Feature Bypass (for CVE-2015-6052) or Information Disclosure (for CVE-2015-6059) if successfully exploited.
Successful exploitation of the vulnerabilities is more likely for the remote code execution condition associated with CVE-2015-2482 and CVE-2015-6055 and less so for the other two vulnerabilities.
As of this time, according to Microsoft details of the vulnerability have not been released publicly, nor have any active exploits have been identified.
MS15-109 – Windows shell – Remote Code Execution – CRITICAL for ALL current operating systems including server core only installs
There are two remote code execution vulnerabilities being patched in Windows shell. Exploitation of the vulnerability would require a user opening a specially crafted toolbar object or an attacker convinces a user to view specially crafted online content.
As of this time, it is unknown if details of the vulnerability have been released publicly. It does not appear any active exploits have been identified.
MS15-110 – Office, Office Services and Web Apps, and Microsoft Server Software – Remote Code Execution – CRITICAL
There are six vulnerabilities being patched for Microsoft Office apps. Four of the vulnerabilities could allow remote code execution (on Office Desktop apps or on Microsoft Services and Web apps) if successfully exploited. For SharePoint Server 2007, 2010 and 2013 implementations, the vulnerabilities could allow either Information Disclosure, Security Feature Bypass or spoofing to take place. Currently, the SANS institute classifies this bulletin as CRITICAL – https://isc.sans.edu/forums/diary/October+2015+Microsoft+Patch+Tuesday/20245/ .
As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
MS15-111 – Windows Kernel – Elevation of Privilege – IMPORTANT
There are four elevation of privilege and one security feature bypass (for Windows 8, 8.1, Windows RT and RT 8.1, Windows 10, Server 2012 and Server 2012R2 including server core only) vulnerabilities being patched in Windows Kernel. As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
With regard to the security feature bypass vulnerability, for successfully exploitation, an attacker must have administrative privileges or physical access to the target device.
Adobe products
On Oct 8, one patch was released for Adobe Acrobat/Reader
Details for the Adobe Acrobat/Reader patches are available at https://helpx.adobe.com/security/products/reader/apsb15-24.html
Additionally, on October 13, one patch was released Adobe Flash. Details for the Flash patch are available at – https://helpx.adobe.com/security/products/flash-player/apsb15-25.html
AgriLife ISO Recommendation
Considering the fact that the Internet Explorer vulnerabilities are likely to be exploited in the near future, it is recommended that the October patches for Microsoft be applied as soon as possible to workstation and also server systems following appropriate testing.
Update Oct 14 8:00 a.m.
I would also add that the patches for Acrobat/Reader alone address 56 vulnerabilities according to SANs – https://isc.sans.edu/forums/diary/Adobe+Updates+Acrobat+and+Adobe+Reader/20247/
Also, as I have said before, please remove Adobe Flash from all systems that don’t require it. The version of flash that was just released yesterday, already has been determined to having a zero day vulnerability that is actively being exploited –
http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
New zero-day exploit hits fully patched Adobe Flash
Attacks used to hijack end users’ computers when they visit booby-trapped sites
Update 2 – Oct 15 8 am
Adobe has indicated they will likely update flash with a new version sometime during the week of Oct 19-23