Microsoft Patch Tuesday for August 2015

Today marks Patch Tuesday for August. Almost identical to last month's list, August clocks in with 14 bulletins. Three are rated Critical and 11 rate as Important. Across all bulletins a total of 58 individual CVEs are patched this month. Internet Explorer makes its nearly guaranteed appearance with a total of 13 vulnerabilities patched.

Today is also the first Patch Tuesday for the new Windows 10 platform. Overall the platform fared rather well. Several of the bulletins that affect all other supported releases of Microsoft Windows don't include Windows 10. Of course some of those patches could have been "pre-baked" into Windows 10 before release last month.

The new Edge web browser didn't escape unscathed. The successor to Internet Explorer patches four vulnerabilities, the most critical of which could result in Remote Code Execution. Hopefully the browser won't start following its predecessor's track record of dominating the patch cycle every month.

MS15-079
CVE-2015-2423, CVE-2015-2441, CVE-2015-2442, CVE-2015-2443, CVE-2015-2444, CVE-2015-2445, CVE-2015-2446, CVE-2015-2447, CVE-2015-2448, CVE-2015-2449, CVE-2015-2450, CVE-2015-2451, CVE-2015-2452
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS15-080
CVE-2015-2431, CVE-2015-2432, CVE-2015-2433, CVE-2015-2435, CVE-2015-2453, CVE-2015-2454, CVE-2015-2455, CVE-2015-2456, CVE-2015-2458, CVE-2015-2459, CVE-2015-2460, CVE-2015-2461, CVE-2015-2462, CVE-2015-2463, CVE-2015-2464, CVE-2015-2465
Critical
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts.

This security update is rated Critical for supported releases of Microsoft Windows and all affected editions of Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight.

MS15-081
CVE-2015-1642, CVE-2015-2423, CVE-2015-2466, CVE-2015-2467, CVE-2015-2468, CVE-2015-2469, CVE-2015-2470, CVE-2015-2477
Important
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS15-082
CVE-2015-2472, CVE-2015-2473
Important
Vulnerabilities in RDP Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user's current working directory and then convinces the user to open a Remote Desktop Protocol (RDP) file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker's specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Important for all supported releases of Microsoft Window except Windows 10, which is not affected.

MS15-083
CVE-2015-2474
Important
Vulnerability in Server Message Block Could Allow Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted string to the SMB server error logging.

This security update is rated Important for all supported editions of Windows Vista and Windows Server 2008.

MS15-084
CVE-2015-2434, CVE-2015-2440, CVE-2015-2471
Important
Vulnerabilities in XML Core Services Could Allow Information Disclosure

This security update resolves vulnerabilities in Microsoft Windows and Microsoft Office. The vulnerabilities could allow information disclosure by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0. However, in all cases an attacker would have no way to force users to click a specially crafted link. An attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.

This security update is rated Important for the following software:

  • Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on all supported releases of Microsoft Windows except Windows 10, which is not affected.
  • Microsoft XML Core Services 5.0 on Microsoft Office 2007 Service Pack 3
  • Microsoft XML Core Services 5.0 on Microsoft InfoPath 2007 Service Pack 3


MS15-085
CVE-2015-1769
Important
Vulnerability in Mount Manager Could Allow Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it.

This security update is rated Important for all supported releases of Microsoft Windows.

MS15-086
CVE-2015-2420
Important
Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege

This security update resolves a vulnerability in Microsoft System Center Operations Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.

This security update is rated Important for affected versions of Microsoft System Center 2012 Operations Manager and Microsoft System Center 2012 Operations Manager R2.


MS15-087
CVE-2015-2475
Important
Vulnerability in UDDI Services Could Allow Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed.

This security update is rated Important for all supported editions of Windows Server 2008, except Itanium editions.

MS15-088
CVE-2015-2423
Important
Unsafe Command Line Parameter Passing Could Allow Information Disclosure

This security update helps to resolve an information disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.

This security update is rated Important for all supported releases of Microsoft Windows.

MS15-089
CVE-2015-2476
Important
Vulnerability in WebDAV Could Allow Information Disclosure

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic.

This security update is rated Important for all supported releases of Microsoft Windows except Itanium servers and Windows 10, which are not affected.

MS15-090
CVE-2015-2428, CVE-2015-2429, CVE-2015-2430
Important
Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox.

This security update is rated Important for all supported releases of Microsoft Windows except Windows 10, which is not affected.

MS15-091
CVE-2015-2441, CVE-2015-2442, CVE-2015-2446, CVE-2015-2449
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on affected Windows clients.

MS15-092
CVE-2015-2479, CVE-2015-2480, CVE-2015-2481
Important
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

This security update is rated Important for Microsoft .NET Framework 4.6 on all supported releases of Microsoft Windows except Itanium editions.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.