Microsoft Patch Tuesday, September 2015

Today marks Patch Tuesday for September and this month brings with it 12 bulletins. Four are rated Critical, and eight are rated Important. Across all bulletins, a total of 55 individual CVEs are patched this month.

Of the four Critical bulletins, both Internet Explorer and the new MS Edge browser make an appearance with seventeen vulnerabilities patched in IE and four patched in Edge. The most critical of these could allow for remote code execution if the attacker can lure a user to a maliciously crafted webpage. The other two Critical vulnerabilities are in Windows Journal and Microsoft Graphics Component. The Journal vulnerability can result in remote code execution if a user opens a maliciously crafted Journal file, while the Graphics vulnerability can also result in remote code execution if a user opens a document or visits a website with malicious OpenType font embedded in it.

MS15-094
CVE-2015-2483, CVE-2015-2484, CVE-2015-2485, CVE-2015-2486, CVE-2015-2487, CVE-2015-2489, CVE-2015-2490, CVE-2015-2491, CVE-2015-2492, CVE-2015-2493, CVE-2015-2494, CVE-2015-2498, CVE-2015-2499, CVE-2015-2500, CVE-2015-2501, CVE-2015-2541, CVE-2015-2542
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers

MS15-095
CVE-2015-2485, CVE-2015-2486, CVE-2015-2494, CVE-2015-2542
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

This security update is rated Critical for Microsoft Edge on affected Windows clients.

MS15-096
CVE-2015-2535
Important
Vulnerability in Active Directory Service Could Allow Denial of Service

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

This security update is rated Important for all supported editions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

MS15-097
CVE-2015-2506, CVE-2015-2507, CVE-2015-2508, CVE-2015-2510, CVE-2015-2511, CVE-2015-2512, CVE-2015-2517, CVE-2015-2518, CVE-2015-2527, CVE-2015-2529, CVE-2015-2546
Critical
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

This security update is rated Critical for:

  • All supported editions of Windows Vista, Windows Server 2008
  • All affected editions of Microsoft Lync 2013, Microsoft Lync 2010, Microsoft Live Meeting 2007
  • All affected editions of Microsoft Office 2007, Microsoft Office 2010

MS15-098
CVE-2015-2513, CVE-2015-2514, CVE-2015-2516, CVE-2015-2519, CVE-2015-2530
Critical
Vulnerabilities in Windows Journal Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported releases of Windows excluding Itanium editions, which are not affected.

MS15-099
CVE-2015-2520, CVE-2015-2521, CVE-2015-2522, CVE-2015-2523
Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

This security update is rated Important for all supported editions of the following software:

  • Microsoft Excel 2007
  • Microsoft Excel 2010
  • Microsoft Excel 2013
  • Microsoft Excel 2013 RT
  • Microsoft Excel for Mac 2011
  • Microsoft Excel for Mac 2016
  • Microsoft SharePoint Foundation 2013, Microsoft SharePoint Server 2013

MS15-100
CVE-2015-2509
Important
Vulnerability in Windows Media Center Could Allow Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Important for all supported editions of Windows Media Center when installed on Windows Vista, Windows 7, Windows 8, or Windows 8.1

MS15-101
CVE-2015-2504, CVE-2015-2526
Important
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows.

MS15-102
CVE-2015-2524, CVE-2015-2525, CVE-2015-2528
Important
Vulnerability in Windows Task Management Could Allow Elevation of Privilege

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows

MS15-103
CVE-2015-2505, CVE-2015-2543, CVE-2015-2544
Important
Vulnerability in Microsoft Exchange Server Could Allow Information Disclosure

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013.

MS15-104
CVE-2015-2531, CVE-2015-2532, CVE-2015-2536
Important
Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege

This security update resolves vulnerabilities in Skype for Business Server and Microsoft Lync Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL. An attacker would have to convince users to click a link in an instant messenger or email message that directs them to an affected website by way of a specially crafted URL.

This security update is rated Important for all supported editions of Skype for Business Server 2015 and Microsoft Lync Server 2013.

MS15-105
CVE-2015-2534
Important
Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to incorrectly apply access control list (ACL) configuration settings. Customers who have not enabled the Hyper-V role are not affected.

This security update is rated Important for all supported editions of Windows 8.1 for x64-based Systems, Windows Server 2012 R2, and Windows 10 for x64-based Systems

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.