Microsoft Patch Tuesday plugs two vulnerabilities under active exploit

Microsoft has used its latest Patch Tuesday release to fix at least two vulnerabilities being exploited in the wild.

Wolfgang Kandek, CTO of Qualys and longtime Patch Tuesday blogger, wrote on Tuesday that the highest priority bulletin is MS15-097, which includes fixes for critical bugs in Windows Vista, Windows Server 2008, Microsoft Office 2007 and 2010, and Lync 2007, 2010, and 2013.

“The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts,” the security bulletin said.

As Kandek noted in his post, one of the bugs in this bulletin – CVE-2015-2546, a Win32k memory corruption elevation of privilege vulnerability in all versions of Windows that Microsoft deemed important – is being exploited in the wild.

Another flaw being exploited in the wild is CVE-2015-2545, a Microsoft Office malformed EPS file vulnerability in all Windows versions of Microsoft Office. The critical bug can allow remote code execution and is addressed in bulletin MS15-099.

Kandek wrote that security bulletin MS15-094 should be priority number two because it addresses 17 vulnerabilities in Internet Explorer, 14 of which are deemed critical.

With the recent release of Windows 10, Microsoft is also now addressing vulnerabilities in its new Edge browser.

“Looking at the four Edge vulnerabilities patched in August and the four memory corruption bugs addressed today, it is apparent that Edge and IE are at least sharing some libraries, if not more substantial components of the web rendering engine,” Tyler Reguly, manager of security researcher for Tripwire, said.

Bulletin MS15-098 addresses vulnerabilities in Microsoft Windows – the majority of which are deemed critical – that could enable remote code execution if the user opens a specially crafted Journal file.

“On the server side MS15-103 addresses three vulnerabilities in Exchange server (all in Outlook Web Access) and MS15-096 a [denial-of-service] condition in Active Directory,” Kandek wrote.

“MS15-100, MS15-101, MS15-102 address vulnerabilities in Windows Media Center, .NET and Windows Task Manager and are all rated important, meaning they can only be abused if the attacker is already on the machine.”