All Versions of Windows Susceptible to Critical Vulnerabilities
Microsoft has just released six security updates as per this weeks Patch Tuesday, three which were labeled “critical” while the others were filed under “important.”
Microsoft’s latest bulletin, MS15-106, is considered to be critical for Internet Explorer (IE) and affects all versions of the Windows operating system.
The latest Windows update addresses the vulnerability in the way IE handles objects in memory. If exploited properly, hackers gain complete access to the machine with the same user rights as the logged-in user.
An attacker could potentially “take advantage of compromised websites, and websites that accept or host user-provided content or advertisements,” the security advisory published Tuesday warns. “These websites could contain specially crafted content that could exploit the vulnerabilities.”
Exploiting the flaw is quite simple in that the end IE user must simply click the malicious link, which can in turn be leveraged by attackers to gain full control over machines not yet patched.
For currently supported operating systems, Microsoft has released security patches for Windows Vista, 7, 8. 8.1 and Windows 10. These vulnerabilities are serious and patches should be installed immediately.
If you are unsure if the PC you’re using has been patched or are sure it is an outdated version, refrain from using older versions of Internet Explorer or clicking shady links that may in turn land you on a malicious webpage.
The other two critical flaws, MS15-108 and MS15-109, address two other critical vulnerabilities found within Windows.
Bulletin MS15-108 addresses four vulnerabilities including one Remote Code Execution (RCE) vulnerability in the operating system. The patch resolves vulnerabilities in the VBScript and JScript scripting engines in Windows.
“The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website,” Microsoft wrote in their security advisory.
Microsoft’s third and final critical patch, MS15-109, also addresses Remote Code Execution vulnerabilities within Windows alongside packaging in a security update for the Windows Shell.
The vulnerability patched had the ability to be exploited if a user opens a maliciously crafted toolbar object in Windows, or an attacker tricks unsuspecting victims into visiting maliciously crafted webpages.
The company has also released three other patches marked important, MS15-107, MS15-110 and MS15-111, all addressing vulnerabilities within Microsoft’s Edge Browser, Office, Office Services, Web Apps and Servers.
All of the patches released this Tuesday should be installed as soon as possible, and we urge all administrators and home users to follow.
You can install Microsoft’s latest patches by navigating to your Windows Control Panel, clicking Review your computer status, and Updates should be found within the panel.