56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows.
The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more than the previous year with still three months remaining for the current year to end.
The reason for the increase in the total number of security bulletins within such less time might be because of Windows 10 release and its installation reaching to a score of 100 million.
Starting from MS15-094 to MS15-105 (12 security bulletins) Microsoft rates the severity of the vulnerabilities and their impact on the affected software.
Bulletins MS15-094 and MS15-095 are the cumulative updates, meaning these are product-specific fixes for security related vulnerabilities that are rated as 'critical' by Microsoft.
Bulletins MS15-097 to MS15-099 are also rated as the most critical vulnerabilities with the impact leading to remote code execution (RCE) of the affected software.
PATCH UPDATE: CRITICAL FLAWS
1. Cumulative Security Update for Internet Explorer (MS15-094) was present in Internet Explorer 7 through Internet Explorer 11 and was rated 'Critical' on Windows clients and 'Moderate' on Windows servers.
The vulnerability could allow an attacker to gain administrative user rights of the victim when the user visits a specially crafted web page set up by the attacker.
The security update addresses the flaws by:
- Modifying how Internet Explorer (IE) handles objects in memory
- Modifying how IE, JScript, and VBScript handle objects in memory
- Helping to ensure that IE correctly permits file operations
2. Cumulative Security Update for Microsoft Edge (MS15-095) is for the Microsoft's Edge browser of the newly released Windows 10 where the severity rating is critical for all the Windows 10 clients.
The vulnerability was exactly the same as MS15-094 but was present in both Windows Edge and Internet Explorer. The update addresses the flaws by modifying how Microsoft Edge handles objects in memory.
3. RCE Vulnerabilities in Microsoft Graphics Component (MS15-097) allows an attacker to implement remote code execution when the victim accesses specially crafted document or visits an untrusted web page that contains Embedded OpenType fonts (.eot).
This security update is rated 'Critical' for:
- All supported versions of Windows Vista and Windows Server 2008
- All affected versions of Microsoft Lync 2013, Microsoft Lync 2010, and Microsoft Live Meeting 2007
- All affected versions of Microsoft Office 2007 and Microsoft Office 2010
The vulnerability was resolved by how:
- Windows Adobe Type Manager Library handles OpenType fonts
- Windows kernel-mode driver handles objects in memory
- Windows validates integrity levels to prevent inappropriate process initialization
- Windows kernel handles memory addresses
4. RCE Vulnerabilities in Windows Journal (MS15-098) lets an attacker remotely execute malicious code if a user opens a specially crafted Journal file.
This security update is rated Critical for all supported releases of Windows operating system and addresses the issues by modifying how Windows Journal parses Journal files.
5. RCE Vulnerabilities in Microsoft Office (MS15-099) allows an attacker to exploit the vulnerability present in the Microsoft's Office Suite by gaining access to the victim (user having administrative rights) and running arbitrary code in the name of an authorized user.
Though users with limited rights are supposedly safe, and the affected software include:
- All versions of Microsoft Office 2007
- All versions of Microsoft Office 2010
- All versions of Microsoft Office 2013
- All versions of Microsoft Office 2013 RT
The security update addresses the flaws by correcting how Microsoft Office handles files in memory and by modifying how SharePoint validates web requests.
PATCH UPDATE: IMPORTANT FLAWS
The Other remaining vulnerabilities MS15-096 and from MS15-100 to MS15-105 are rated as 'Important' on Microsoft's severity scale; those are affecting:
- Microsoft Windows various versions
- Lync messenger
- Microsoft Exchange Server
- Microsoft .NET framework...to name a few
The vulnerabilities could allow hackers to conduct attacks such as:
- Denial of Service
- Privilege escalation
- Information breach
- Other security breaks
Microsoft has acknowledged researchers at Google Project Zero, hyp3rlinx, FireEye Inc., Fortinet's FortiGuard Labs, Cisco Talos...and many more as the contributors for helping them providing adequate security to the users.
For the updates, you will have to follow the same method of downloading and installing the Windows update for your system.
TIP for Windows users: Keep your system's Windows Update settings to "Check for Updates but let me choose whether to download and install them."