Office, IE bugs get sprayed with Patch Tuesday fixes

The bad news: Microsoft had to issue Patch Tuesday fixes for Office and IE. The good news: no patches for Windows 10 or Adobe Flash.

Microsoft closed out the summer bug season by spraying a handful of its core products, including Internet Explorer, its new Edge browser and Office, with a dozen bulletins addressing five critical flaws.

The 12 bulletins for September's Patch Tuesday brought the total number the company has issued so far this year to over 100. This time last year the company had issued only 55 bulletins, with a total of 85 for 2014. At this pace, the company could approach 145 for 2015, according to a projection made by Wolfgang Kandek, CTO of Qualys, Inc., in Redwood City, Calif.

The significant increase isn't necessarily related to products being that much buggier, Kandek said.

"There is no reason from a product perspective [for the increase in bugs], to me it's an indication there's just more security research going on, and more people reporting bugs to Microsoft," Kandek said. "It illustrates how difficult it is becoming to work in this area."

Of the five critical fixes issued this month, the one that addresses vulnerabilities in Microsoft's Graphics Component deserves administrators' attention first, Kandek said. The update fixes flaws in Windows, Office and Microsoft Lync, the most harmful of which allows remote code execution if users open a specially crafted document or should visit a Web page containing embedded OpenType fonts.

"We think this one [MS15-097] is the most critical because it is currently being used by attackers," Kandek said. "It allows someone to escalate privilege once they are inside the computer. The fact it is in the wild means administrators should apply it soon."

The next critical fix is the cumulative security update for Internet Explorer (IE), according to Kandek, because again it addresses remote code vulnerabilities. The patch addresses 17 vulnerabilities, 14 of which are critical, by modifying how IE handles objects in memory and makes sure the browser correctly permits file operations. While there were 17 vulnerabilities in IE, its' recently released successor, Edge, only had four.

"The interesting thing we see is that the bugs [in Edge] are overlapping with IE, so you can see they affect the core base," said Amol Sarwate, director of vulnerability labs for Qualsys. "But if you look at this month and last month's bulletins, Edge has a lot less vulnerabilities than IE." 

Last month, Microsoft released a critical fix for IE, a cumulative security update targeted at 13 vulnerabilities.  A patch for Edge only addressed four vulnerabilities.

Another bulletin, labeled critical, is an update for Office that addresses five flaws, three of which are described as memory corruption vulnerabilities. This patch, along with many other patches for Office labeled critical or important, should be applied quickly given the vast majority of larger IT shops typically have thousands of copies installed, Kandek said.

This bulletin addresses the certain vulnerabilities by correcting how Office handles files in memory and by modifying how SharePoint validates Web requests, according to Microsoft.

 "Most vulnerabilities in Office are critical because it is so widely installed," Kandek said.  "And this one also involves remote code execution, so it is particularly important if you are in the corporate space."

Microsoft issued three bulletins for server-side products, most notably perhaps, is an update to resolve vulnerabilities in the widely used Exchange Server. The most sever vulnerability allows information disclosure if Outlook Web Access fails to properly handle Web request, according to Microsoft. It could also "sanitize" user input and email content.

The good news in September's report was no bugs were reported living in the core of the recently-rolled out Windows 10 operating system and, for the first time since October 2013, no update had to be made to Adobe Flash Player.

"There were some big changes to Flash the last few months that Google was working on with Adobe to make it harder to exploit," Kandek said. "Maybe this gives them some breathing room."

Ed Scannell is a senior executive editor at TechTarget. He can be reached at [email protected] Tayla Holman is the assistant site editor for and can be reached at [email protected] 

Dig Deeper on Windows administration tools