This month's Patch Tuesday saw Microsoft serve up updates to fix the largest number of security flaws in recent months. Patches for five issues labelled as 'Critical' and nine rated as 'Important' are now going out via Microsoft's update channels, with all but two of the updates aimed at Windows. My PC has just finished the download and install of these patches.
Below is a brief rundown of the security-related updates deemed as Critical, from Microsoft's summary of the latest Patch Tuesday:
- MS15-018: Cumulative Security Update for Internet Explorer, fixing remote code execution.
- MS15-019: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution.
- MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution.
- MS15-021: Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution.
- MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.
In addition to the Critical flaws, MS15-031 is a fix worth noting as it is aimed at the cross-platform FREAK bug which all versions of Windows were vulnerable to. "The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected," explained Microsoft's summary.
The Factoring Attack on RSA-EXPORT Keys (FREAK) vulnerability, or CVE-2015-0204, is the latest flaw to be found in SSL/TLS that makes it possible for unauthorised parties to spy upon a user's supposedly secure internet communications. With the release of this patch, it means that Microsoft and Apple platforms are now secured from the bug. Google has developed a software update for Android but it requires hardware partners to push it out in most cases.
The remaining Patch Tuesday updates mostly affect Microsoft Windows, with one exception being a solution for an issue in Microsoft Exchange Server. Specific details on fixes of these minor issues can be found on Microsoft's bulletin summary page. It is also probably worth nothing that Microsoft will only be providing free updates for Windows Server 2003 for three further months.