Just a few weeks after the release of Windows 10, Microsoft issued five patches for its newest operating system.
The company issued an additional patch for its new Edge browser to address four vulnerabilities, particularly ones that could allow remote code execution if users access specially crafted Web pages.
Microsoft also delivered a critical security fix for Internet Explorer (IE) -- again to eliminate vulnerabilities that could allow remote code execution with multiple versions of Windows including Windows 10.
Still, some industry observers believe Windows 10 is faring a bit better than Windows 8 did in its first two months, in which the latter accounted for 60% of the Windows patches compared to 40% for Windows 10.
"If you run Windows 10 home edition you have automatic updates, which I am a big fan of, it is very useful for security," said Wolfgang Kandek, CTO with Qualys, Inc. "And the enterprise edition now has safeguards that puts users in a virtual machine [Virtual Secure Mode] so attackers can't get at your credentials so easily."
But Qualys officials believe the most serious of the 14 bulletins issued this month is a rare critical update for Office addressing eight vulnerabilities. The most harmful are those that permit remote code execution when users open a specially crafted Office file.
Company officials believe this fix should be the first order of business for IT pros this month if only because the bug affects multiple versions of the product which is used by tens of millions.
"This should be the highest priority, not only because it is critical and is so widely used, but because there are active exploits going on out there in the wild," said Amol Sarwate, director of vulnerability labs at Qualys. He added the exploit can be triggered automatically in both Office 2007 and 2010.
Another critical fix was a cumulative security update for IE targeted at 13 vulnerabilities, including some 10 vulnerabilities that permit attackers to gain access to a system and execute arbitrary code. The fix is classified as critical for all supported versions of IE on Windows clients, but only moderate for all supported versions of IE residing on Windows-based servers.
Specifically, the fix addresses how IE handles objects in memory, thereby ensuring that the affected versions properly implement the ASLR security feature. It also improves command-line parameters for Notepad execution from IE.
Another update, deemed important, resolves a vulnerability in the Windows Mount Manager that permits an elevation of privilege if attackers insert a malicious USB device into a system. Once the device is inserted it can write a malicious binary to the hard drive and execute it.
"This should be a high priority update for all your machines that are not in controlled environments," Kandek said.
In what has become a monthly occurrence, Microsoft released an Adobe Flash update that addresses 34 vulnerabilities although only one is classified as critical. IE versions 10 and 11 users can get their update (APSB15-19) through their browsers. Flash, which comes with Windows 8.X and Edge on Windows 10 will automatically get updated to the patched version.
Microsoft also released two patches for Windows Server, both deemed important. The first is a security update that addresses a vulnerability in Microsoft System Center Operations Manager. This vulnerability allows for an elevation of privilege if users access an affected website with a specially crafted URL.
The second, also a security update, addresses a vulnerability in UDDI Services that permits an elevation in privilege if attackers can carry out a cross-site scripting by placing a malicious script into a web page search parameter.
More details on the August 2015 Patch Tuesday can be found on TechNet.
Ed Scannell is a senior executive editor at TechTarget. He can be reached at [email protected] Tayla Holman is the assistant site editor for SearchWindowsServer.com and can be reached at [email protected]