icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

October Patch Tuesday plugs holes in IE, Edge browsers

Windows administrators have a relatively light month, as Microsoft releases only six security bulletins for October.

Microsoft released just six security bulletins for October's Patch Tuesday, but three are rated as critical, with one affecting all supported versions of the Windows operating system.

Administrators should concentrate on rolling out the patch for Microsoft Security Bulletin MS15-106, which details a critical vulnerability in Internet Explorer (IE) 7 through IE 11 on Windows Vista through Windows 10, security researchers said. The IE update addresses 15 vulnerabilities in total, nine of which are critical and could allow remote code execution if a user views a specially crafted webpage.

"I think the Internet Explorer update gets the highest priority just because of the total number of users having and using Internet Explorer on their systems," said Amol Sarwate, director of engineering for security vendor Qualys Inc., in Redwood City, Calif.

An Office exploit that deserves attention

While Microsoft rates its security bulletin MS15-110 as "important," some security firms would elevate these bulletins to a critical status due to the number of users it can affect. The bulletin details vulnerabilities in Microsoft Office, which could allow a hacker to perform remote code execution.

"[I]f you read the bulletin, you'll find that five out of the six [issues] are remote code execution," said Wolfgang Kandek, CTO at Qualys. "That's the worst for us. This is what the attacker wants. He wants to send you, in this case, an Excel document, and you open it and code executes on your machine. Those really deserve a critical rating."

Other critical releases

The two other bulletins rated as critical also deal with remote code execution exploits.

The MS15-108 update closes a vulnerability in the VBScript and JavaScript engines running on supported versions of Windows Vista, Windows Server 2008, and Server Core installations of Windows Server 2008 R2. If a user goes to a specially crafted website, an attacker could assume that user's rights and take control of the system.

The last critical update, MS15-109, touches all supported versions of Windows -- from Windows Vista to Windows 10 and the server editions in between -- where an attacker can use either a crafted email or website to exploit a vulnerability in the Windows shell to remotely execute codes.

The other important patches

Microsoft also issued an important patch for the new Edge browser on Windows 10 systems that it lists under bulletin MS15-107. The fix prevents a hacker from gaining access to data on the affected machine. 

The final bulletin, MS15-111, is rated important and concerns all supported versions of Windows -- from Vista to Windows 10 -- which could give a hacker system-level access if they have managed to log in to the system and run an exploit through a specially crafted application.

Further information on these bulletins can be found on the Microsoft Security Advisories and Bulletins site.

Next Steps

Microsoft evolves Patch Tuesday into Windows Update for Business

October Patch Tuesday 2015 has fewest bulletins this year

Catch up on the Office fixes for September Patch Tuesday

Dig Deeper on Windows administration tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which of Microsoft's Patch Tuesday issues concern you the most? Why?
The Edge browser continues to be a resource hog, either RAM or CPU but often both. We have stopped its use.
Still hearing to much negative feedback with Windows 10 and it's new features. Will probably wait at least a year for the dust to settle. There may be small patches but it that because they just have not been found or Microsoft is slow on the fixes for the problems that have been identified ?
yes Todd, key as always with Windows is you have to test the applications you need to work aswell as all the devices/peripherals in your stock machines, not to mention exchange and the like.

However, the o/s itself is stable and running quiet is better on memory than prior versions, appearing relatively memory efficient.

The functionality like virtual desktops, start button tiles is also a nice one for users too.

Not too many reasons to hold back on users if tests go well although the cost of upgrading other applications to win10 may not be worth it.
Gee, ONLY six this month (with half those rated as critical). Sure, we all know Windows is incredibly complex. So is brain surgery. How many critical errors and weekly fixes would we tolerate there...?

Okay, I'll admit that's an unfair analogy. How about writing a book? That's code, too. In fact, I produced a film called "The Writing Code" in which scholars explain that writing is little more than human-readable code. So how many updates would you accept on your last book? PLEASE REPLACE PAGES 7 THROUGH 9 WITH.... A few, I guess, would be okay, after all we're only human. A FEW. And how many updates do we get from MS...?

Seems we're all beta testers for Microsoft. That's okay, but I think the pay is lousy.
ncberns - are you new to Windows?
lol, had to laugh at the beta tester comment. Hit the nail right on the head. If we put out a product to our customers like Windows with all the constant patching, how long would we get to keep our jobs?? What is our reward for beta testing Win10 and finding all their issues??? Win11.....rinse and repeat...