You can keep shouting “bring out your dead,” but Patch Tuesday is not dead yet. There is a large lineup this month on both the Microsoft and third party front, and even some Windows 10 updates to boot!
Patch Tuesday is always fun after a major security conference. We are going to see some fallout from the BlackHat conference last week, as security researchers showed off their skills with live exploits of popular browsers and plug-ins. Mozilla already released a security update last week and, for Patch Tuesday, we have updates for IE, Edge, Flash, Chrome and Java.
Microsoft has released 14 bulletins, four of which are critical. The critical updates affect Internet Explorer, Edge, Windows, .Net Framework, Microsoft Office, Microsoft Lync and Microsoft Silverlight. Two of the critical updates affect Office.
Exploits detected in wild:
- MS15-081 CVE-2015-1642
- MS15-085 CVE-2015-1769
Remember this is a risk indicator. If a vulnerability has been publicly disclosed, the chances of exploit are significantly higher.
- MS15-079, MS15-081, MS15-088 – CVE-2015-2423 – To fully resolve this vulnerability you need to ensure that all bulletins that are affected by this vulnerability are updated.
- MS15-080 – CVE-2015-2433 — MS15-080 is a critical update resolving 16 vulnerabilities across TrueType, OpenType, Office Graphics Component, and some Kernel and Shell security feature bypass vulnerabilities. This update will affect Windows 10 users and also is the one update this month that would affect Server 2003 customers and would be available if you have an extended support contract.
Windows 10 users can expect to see the IE update for IE 11 (MS15-079), MS15-080, MS15-085, MS15-088, MS15-091 (Critical update for Edge browser) and MS15-092.
Microsoft has changed the game up with its Windows 10 patches. Instead of releasing patches individually, it is now releasing patches in bundles. This makes it easy to patch systems, but it also means that users can no longer test patches individually before integrating them, which could be problematic if one patch causes issues.
Adobe Flash has released an update today that resolves 35 vulnerabilities. The update is rated as a Priority 1.
Google Chrome has an update available today to support the Flash Plug-In. It’s currently unclear if this update contained other security fixes, but the plug-in from Flash puts it in the Priority 1 bucket.
There is an expected update from the Java team. Java 8u60 is a maybe for today. We have not seen it drop yet, but there is enough buzz going on to keep a wary eye open.
Mozilla FireFox had a security-related release last week to respond to some critical vulnerabilities. That update should be on your Priority 1 list this month. FireFox 40 is expected out at any time now, but it will be a feature update with new Windows 10 friendly features, not a security update.
Join us tomorrow for our monthly Patch Tuesday webinar, where we will discuss the updates, priorities, and related topics to keep you informed.