Microsoft released 12 security updates for September 2015 Patch Tuesday, five of which are rated critical and one is currently being exploited in the wild.
Microsoft patches rated critical
MS15-097 contains a fix for a flaw currently being exploited in the wild, so it should be your top priority. It patches 11 vulnerabilities in Microsoft Graphics Component which could allow remote code execution.
Qualys CTO Wolfgang Kandek wrote, “The bulletin is rated critical on Windows Vista and Server 2008, plus Microsoft Office 2007 and 2010, plus Lync 2007, 2010, 2013. In addition one of the vulnerabilities, rated as only as important in the bulletin is under attack in the wild: CVE-2015-2546 allows for an escalation of privilege once on the machines, allowing the attacker to become administrator of the targeted machine. CVE-2015-2546 affects all versions of Windows including Windows 10.”
MS15-094 should be the second priority as the cumulative security update for Internet Explorer 7 – 11 resolves 17 RCE vulnerabilities, 14 of which are rated critical. The RCE flaws could allow an attacker to take over IE and then execute code on your PC if you surf to a maliciously crafted webpage. Shavlik product manager Chris Goettl pointed out that both this patch and the one below contain fixes for the publicly disclosed CVE-2015-2542 memory corruption vulnerability.
MS15-095 is a cumulative security update resolving four vulnerabilities in Microsoft’s newest Edge browser. As was the case for the big IE patch, the fix for Edge resolves RCE flaws that could allow an attacker to take over your PC.
MS15-098 addresses five holes in Windows Journal. Four of the vulnerabilities could allow an attacker to take control of your PC if you opened a maliciously crafted Journal file. The final fix addresses a denial of service flaw.
MS15-099 resolves four vulnerabilities in Microsoft Office. It is rated critical for Office 2007, 2010, 2013 and 2013 RT; it is rated as important for Microsoft Excel for Mac 2011 and 2016 as well as for Microsoft SharePoint Foundation 2013 and Microsoft SharePoint Server 2013. The most severe vulnerabilities could allow RCE if an attacker tricked a victim into opening a maliciously crafted Office file.
Microsoft patches rated important
MS15-096 resolves a vulnerability in Active Directory that “could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.”
MS15-100 addresses a publicly disclosed vulnerability in Windows Media Center that could allow RCE if an attacker tricked a user into opening a specially crafted Media Center link (.mcl) that references malicious code.
MS15-101 resolves two vulnerabilities in the Microsoft .NET Framework; one has been a publicly disclosed. The most severe could allow elevation of privilege if an attacker tricks a user into running a maliciously crafted .NET application.
MS15-102 patches three privilege escalation vulnerabilities in Windows Task Management.
MS15-103 addresses three vulnerabilities in Exchange 2013; two could allow spoofing and one could allow information disclosure; the latter is regarded as the most severe and could disclose information if “Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content.”
MS15-104 provides fixes for three cross-site scripting (XSS) vulnerabilities in Skype for Business Server 2015 and Lync Server 2013. The most severe could allow elevation of privilege and the two others could allow information disclosure.
MS15-105 contains the fix for a Hyper-V security feature bypass vulnerability. “The vulnerability could allow security feature bypass if an attacker runs a specially crafted application that could cause Windows Hyper-V to incorrectly apply access control list (ACL) configuration settings.”