September Patch Tuesday, a lot of Microsoft with a touch of Adobe

This feels like a light month compared to the last few Patch Tuesdays, especially for third parties. Coming off of Black Hat, all the vendors we would normally expect to see on patch day have had their hands forced last month to respond quickly to any vulnerability they may have had, likely causing a slow month this time around. Next month we should expect a Java quarterly release, along with more third-party patches.

As for Microsoft, it has released 12 bulletins. Five of these bulletins are rated as Critical. There are a lot of media content vulnerabilities being resolved this month for graphics drivers, Windows Journal and Media Center, and Microsoft Office and Sharepoint.
It appears that the Windows 10 and Edge browser update are combined again this month. Although you will see Windows 10 as affected by bulletins MS15-094, MS15-095 (Edge), MS15-097, MS15-098, MS15-102 and MS15-105, there will be a single cumulative update for the six bulletins.

Five of the bulletins have vulnerabilities that have been publicly disclosed and one has been detected in exploits in the wild. Any vulnerability that has been publicly disclosed is something that you will want to pay close attention to, as public disclosure is an indicator of risk. Statistically these vulnerabilities are going to have a much higher chance of being exploited.

  • MS15-094 and MS15-095 both contain a fix for CVE-2015-2542.
  • MS15-097 contains two public disclosures (CVE-2015-2546, CVE-2015-2529) one of which has also been detected in attacks in the wild (CVE-2015-2546).
  • MS15-100 contains a fix for CVE-2015-2509 and MS15-101 contains a fix for CVE-2015-2504, both of which have been publicly disclosed.

These bulletins should be on your priority list this month.

For those of you still running Server 2003 and on an Extended Support Agreement, expect an update for MS15-097 and MS15-098 this month.

Adobe is the only notable third party update this Patch Tuesday. Shockwave has a release resolving two vulnerabilities.

Join us tomorrow for our regular Patch Tuesday webinar as we discuss the bulletins and provide some details and guidance to help you prioritize your Patch Maintenance for September 2015.