News Stay informed about the latest enterprise technology news and product updates.

Windows 10 gets its first Patch Tuesday updates

Microsoft wastes no time delivering its first critical Windows 10 Patch Tuesday fixes, along with critical updates for its Edge and IE browsers.

Just a few weeks after the release of Windows 10, Microsoft issued five patches for its newest operating syste...

m.

The company issued an additional patch for its new Edge browser to address four vulnerabilities, particularly ones that could allow remote code execution if users access specially crafted Web pages.

Microsoft also delivered a critical security fix for Internet Explorer (IE) -- again to eliminate vulnerabilities that could allow remote code execution with multiple versions of Windows including Windows 10.

Still, some industry observers believe Windows 10 is faring a bit better than Windows 8 did in its first two months, in which the latter accounted for 60% of the Windows patches compared to 40% for Windows 10.

"If you run Windows 10 home edition you have automatic updates, which I am a big fan of, it is very useful for security," said Wolfgang Kandek, CTO with Qualys, Inc. "And the enterprise edition now has safeguards that puts users in a virtual machine [Virtual Secure Mode] so attackers can't get at your credentials so easily."

But Qualys officials believe the most serious of the 14 bulletins issued this month is a rare critical update for Office addressing eight vulnerabilities. The most harmful are those that permit remote code execution when users open a specially crafted Office file.

Company officials believe this fix should be the first order of business for IT pros this month if only because the bug affects multiple versions of the product which is used by tens of millions.

"This should be the highest priority, not only because it is critical and is so widely used, but because there are active exploits going on out there in the wild," said Amol Sarwate, director of vulnerability labs at Qualys. He added the exploit can be triggered automatically in both Office 2007 and 2010.

Another critical fix was a cumulative security update for IE targeted at 13 vulnerabilities, including some 10 vulnerabilities that permit attackers to gain access to a system and execute arbitrary code. The fix is classified as critical for all supported versions of IE on Windows clients, but only moderate for all supported versions of IE residing on Windows-based servers.

Specifically, the fix addresses how IE handles objects in memory, thereby ensuring that the affected versions properly implement the ASLR security feature. It also improves command-line parameters for Notepad execution from IE.

Another update, deemed important, resolves a vulnerability in the Windows Mount Manager that permits an elevation of privilege if attackers insert a malicious USB device into a system. Once the device is inserted it can write a malicious binary to the hard drive and execute it.

 "This should be a high priority update for all your machines that are not in controlled environments," Kandek said.

In what has become a monthly occurrence, Microsoft released an Adobe Flash update that addresses 34 vulnerabilities although only one is classified as critical. IE versions 10 and 11 users can get their update (APSB15-19) through their browsers. Flash, which comes with Windows 8.X and Edge on Windows 10  will automatically get updated to the patched version.

Microsoft also released two patches for Windows Server, both deemed important. The first is a security update that addresses a vulnerability in Microsoft System Center Operations Manager. This vulnerability allows for an elevation of privilege if users access an affected website with a specially crafted URL.

The second, also a security update, addresses a vulnerability in UDDI Services that permits an elevation in privilege if attackers can carry out a cross-site scripting by placing a malicious script into a web page search parameter.

More details on the August 2015 Patch Tuesday can be found on TechNet.

Ed Scannell is a senior executive editor at TechTarget. He can be reached at escannell@techtarget.com. Tayla Holman is the assistant site editor for SearchWindowsServer.com and can be reached at tholman@techtarget.com. 

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Did we really think this would be the end of patches and updates? I still say it comes down to the QA being done. Do they let some issues and flaws slide, hopping nobody finds them, just to get the product out the door? I am on no hurry to upgrade my OS.
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close