All versions of Windows affected by critical security flaws
Microsoft has issued a “critical” patch for every supported version of Windows that allows attackers remotely control just about any version of Windows, ranging from Windows Vista to Windows 10, just by serving you a specially crafted malware laden web page. However, Microsoft’s Edge browser is unaffected by the flaw.
The company in its advisory said that the patch, MS15-106, includes patches for critical vulnerabilities that can allow for remote code execution (RCE) if a user views a specially crafted Web page. This critical bulletins affect IE versions 7 and up on Windows Vista, Windows 7, Windows 8/8.1, and Windows 10. Windows Server 2008 and 2012 are also affected, but the vulnerabilities are rated as moderate because of the restricted mode in which Internet Explorer runs on those systems. If successfully exploited, an attacker could gain the same user rights as the current user, such as installing programs, and deleting data.
An attacker would have to “take advantage of compromised websites, and websites that accept or host user-provided content or advertisements,” said the advisory. “These websites could contain specially crafted content that could exploit the vulnerabilities.”
Microsoft Windows server software was also susceptible to the flaws, but it is less due to its enhanced security mode.
Researchers from FireEye, HP’s Zero Day Initiative, Trend Micro, and Verisign, among others, were recognised by Microsoft for discovering the flaw.
Two other patches, MS15-108 and MS15-109, address other critical vulnerabilities in Windows. While MS15-108 includes patches for vulnerabilities in the VBScript and JScript scripting engines in Microsoft Windows, MS15-109 covers susceptibilities in the Windows Shell which could allow RCE through the use of specially crafted online content.
Lower on the importance scale are two bulletins that do not include critical patches — MS15-107, a bulletin for Microsoft’s new Edge browser in Windows 10 that could allow for information disclosure, and MS15-111, a patch for the Windows kernel in all supported versions of Windows that could allow for elevation of privilege if successfully exploited. MS15-110 fixes security flaws in Microsoft Office, that includes “all supported editions”.
The patch modifies how IE, JScript and VBScript handle objects in memory, and adds additional permission validations to IE, Microsoft said.
The patches will be available in October through the usual update channels.