icetray - Fotolia

November Patch Tuesday closes gaps in Internet Explorer, Windows

Microsoft releases 12 security bulletins covering a wide range of applications, including Skype.

Of the 12 security bulletins released on November's Patch Tuesday, Microsoft designated four as critical, with one handling flaws in Internet Explorer and another that plugs exploits in all supported versions of Windows.

After a relatively light Patch Tuesday in October that featured six bulletins, administrators not only have twice as many bulletins, but flaws that affect a wider range of applications.

"Usually, we only have Internet Explorer, Office and Edge, but this month, we have [patches for] Skype, Kerberos, Schannel, IPSec and NDIS," said Amol Sarwate, director of engineering for security vendor Qualys Inc., in Redwood City, Calif.

Each of the four critical bulletins deal with attacks that use remote code execution.

Critical update affects Windows machines

Microsoft lists security bulletin MS15-115, which affects all Windows operating systems, as the fourth-most important bulletin, but Sarwate said it should be at the top of most Windows administrators' priority lists based on the company seeing an uptick in "drive-by" attacks.

"Just viewing a webpage with a certain set of fonts could cause a remote attacker to compromise a victim's machine," Sarwate said.

The patch plugs seven vulnerabilities in all supported versions of Windows -- including Windows 10 and Windows RT -- with two exploits that deal with remote code execution that are labeled critical. The patch corrects an issue that could let an attacker perform a remote code execution if a user goes to a website with embedded fonts or opens a document that uses this vulnerability.

A critical patch for Internet Explorer

The next critical update that Windows administrators should apply as soon as possible deals with remote code execution vulnerabilities in Internet Explorer (versions 7-11), as described in security bulletin MS15-112.

If a user visits a specially crafted website, an attacker could perform a remote code execution to obtain the same rights as the current user. If the user has administrative rights, the attacker could penetrate further and essentially have little to no restrictions once inside a system.

This patch makes a total of 25 fixes, with 23 marked critical.

Two other critical bulletins

The new Microsoft Edge browser has an update in security bulletin MS15-113 that patches a remote code execution vulnerability to prevent an attacker from gaining access to a machine if a user goes to a specially crafted webpage with the Edge browser running on a Windows 10 machine.

While it's still early to judge whether Microsoft has ramped up the security measures in its latest browser, the numbers show fewer exploits are present compared to Internet Explorer.  

"Since August, Internet Explorer has had about 70 security bulletins, while Edge has had about 13," Sarwate said.

The final critical update, MS15-114, fixes a flaw that could allow a remote code execution if a user opens a specially made Windows Journal file on systems running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

An important fix for Microsoft Office users

While not marked critical, administrators should consider giving the MS15-116 security update for Microsoft Office a higher priority due to the high number of users it has the potential to affect. Users can prevent an attack from an Office document by opening it in read-only mode or paying attention to any warnings that come from dialog boxes.

"In our experience, a lot of people will get an Office document, then they download it and open it, and click 'OK' through the security warnings," Sarwate said.

While most organizations will have protections that typically prevent these types of malicious files from reaching a user's inbox, some documents may slip through, which means common sense should come into play when working through your inbox.

"Avoid opening documents that are out of context. Email spoofing is very easy to do. If someone you know says, 'Hey, here's that document you requested,' but you didn't ask for it. Be very careful opening any documents, not just Office documents," Sarwate said.

Other important bulletins

The seven remaining security bulletins marked as important deal with vulnerabilities in Skype for Business, Lync, the .NET Framework, Winsock, NDIS, IPSec, Schannel and Kerbeos.

Further information on the November Patch Tuesday bulletins can be found on the Microsoft Security Advisories and Bulletins site.

Next Steps

Need to patch multiple OSes? These tips can ease the pain

October Patch Tuesday 2015 has fewest bulletins this year

Evaluating automated patch management offerings

Dig Deeper on Windows administration tools