icetray - Fotolia

October Patch Tuesday plugs holes in IE, Edge browsers

Windows administrators have a relatively light month, as Microsoft releases only six security bulletins for October.

Microsoft released just six security bulletins for October's Patch Tuesday, but three are rated as critical, with one affecting all supported versions of the Windows operating system.

Administrators should concentrate on rolling out the patch for Microsoft Security Bulletin MS15-106, which details a critical vulnerability in Internet Explorer (IE) 7 through IE 11 on Windows Vista through Windows 10, security researchers said. The IE update addresses 15 vulnerabilities in total, nine of which are critical and could allow remote code execution if a user views a specially crafted webpage.

"I think the Internet Explorer update gets the highest priority just because of the total number of users having and using Internet Explorer on their systems," said Amol Sarwate, director of engineering for security vendor Qualys Inc., in Redwood City, Calif.

An Office exploit that deserves attention

While Microsoft rates its security bulletin MS15-110 as "important," some security firms would elevate these bulletins to a critical status due to the number of users it can affect. The bulletin details vulnerabilities in Microsoft Office, which could allow a hacker to perform remote code execution.

"[I]f you read the bulletin, you'll find that five out of the six [issues] are remote code execution," said Wolfgang Kandek, CTO at Qualys. "That's the worst for us. This is what the attacker wants. He wants to send you, in this case, an Excel document, and you open it and code executes on your machine. Those really deserve a critical rating."

Other critical releases

The two other bulletins rated as critical also deal with remote code execution exploits.

The MS15-108 update closes a vulnerability in the VBScript and JavaScript engines running on supported versions of Windows Vista, Windows Server 2008, and Server Core installations of Windows Server 2008 R2. If a user goes to a specially crafted website, an attacker could assume that user's rights and take control of the system.

The last critical update, MS15-109, touches all supported versions of Windows -- from Windows Vista to Windows 10 and the server editions in between -- where an attacker can use either a crafted email or website to exploit a vulnerability in the Windows shell to remotely execute codes.

The other important patches

Microsoft also issued an important patch for the new Edge browser on Windows 10 systems that it lists under bulletin MS15-107. The fix prevents a hacker from gaining access to data on the affected machine. 

The final bulletin, MS15-111, is rated important and concerns all supported versions of Windows -- from Vista to Windows 10 -- which could give a hacker system-level access if they have managed to log in to the system and run an exploit through a specially crafted application.

Further information on these bulletins can be found on the Microsoft Security Advisories and Bulletins site.

Next Steps

Microsoft evolves Patch Tuesday into Windows Update for Business

October Patch Tuesday 2015 has fewest bulletins this year

Catch up on the Office fixes for September Patch Tuesday

Dig Deeper on Windows administration tools