For October 2015 Patch Tuesday, Microsoft released only six security bulletins with three being rated as critical.
3 rated Critical
The three bulletins rated critical deal with remote code execution.
MS15-106 is a cumulative fix for Internet Explorer, patching multiple memory corruption, scripting engine memory corruption, elevation of privilege, and information disclosure vulnerabilities as well as a security feature bypass involving VBScript and Jscript ASLR, and a scripting engine information disclosure bug. The most severe flaws could allow for remote code execution if an attacker tricks a user into visiting a maliciously crafted site. If successfully exploited, an attacker could gain the same user rights as the current user.
MS15-108 is like a reboot of the bulletin above, except the fixes for the VBScript and Jscript scripting engines are rated critical for affected versions of Windows Vista, Windows Server 2008 and Windows 2008 server core installation option.
MS15-109 patches a flaw in Windows Shell that could allow remote code execution; it fixes the vulnerabilities “by modifying how Windows Shell and the Microsoft Tablet Input Band handle objects in memory.”
3 rated Important
MS15-107 is the cumulative patch for Microsoft Edge. The most severe flaw could allow information disclosure; the other patch is for an XSS filter bypass. The fix is rated important for Edge users on Windows 10.
MS15-110 fixes security flaws in Microsoft Office, including “all supported editions” of Excel 2007, 2010, 2013, 2013 RT, 2016, Excel for Mac 2011 and 2016; Microsoft Visio 2007 and 2010; Excel Services on Microsoft SharePoint Server 2007, 2010 and 2013; Microsoft Web App 2010, Microsoft Excel Web App 2010, Microsoft Office Web Apps Server 2013, and Microsoft SharePoint Server (2007, 2010, 2013 and Microsoft SharePoint Foundation 2013.)
Although rated as important, Qualys CTO Wolfgang Kandek says MS15-110 “deserves your attention. It addresses six issues in Office (mostly Excel) with five resulting in Remote Code Execution. An attacker would trick a user into opening an Excel sheet with an exploit for one of the vulnerabilities in order to be successful, which is not that hard if the Excel sheet is presented in an interesting context, say as relevant product information, pricing and discounts of competing vendors.”
MS15-111 is for all versions of Windows as it patches Windows kernel to prevent elevation of privilege.
Found among Microsoft’s usual acknowledging nod to security researchers, James Forshaw of Google Project Zero is mentioned twice for discovering EoP vulnerabilities fixed in MS15-111.
Kandek advises patching MS15-106 first, followed by MS15-110 and MS15-109 third. The rest, he says, can be deployed during the normal patching cycle.