All Windows versions hit by major security flaw

14 Oct 2015

Microsoft has issued a "critical" patch for every supported version of Windows, according to its monthly security bulletin, which came as part of its so-called Patch Tuesday.

According to Microsoft Windows, Vista and later versions, including Widows 10 required patching from a serious remote code execution flaw in Internet Explorer.

The patch, MS15-106, addresses a flaw in the manner in which Internet Explorer handled objects in memory, the company said in its advisory. An attacker could exploit the flaw to gain access to an affected machine, and access the same rights as a logged-in user, such as installing programs, and deleting data.

An attacker would have to "take advantage of compromised websites, and websites that accept or host user-provided content or advertisements," said the advisory. "These websites could contain specially crafted content that could exploit the vulnerabilities."

Windows server systems were at risk too, but their enhanced security mode helped to mitigate the vulnerability.

Microsoft acknowledged the contribution of researchers from FireEye, HP's Zero Day Initiative, Trend Micro, and Verisign, among others, in identifying the flaw.

Additionally, Microsoft released two other patches, MS15-108 and MS15-109, to address other critical vulnerabilities in Windows.

Three other patches -- MS15-107, MS15-110, and MS15-111 addressed "important" issues.

Meanwhile, Craig Young, computer security researcher with Tripwire Inc's Vulnerability and Exposures Research Team, based in Portland, Oregon, said, this month was also special as none of the vulnerabilities patched had known zero day exploits, TechTarget reported.

"Network administrators should be relieved this month to learn that none of the vulnerabilities being patched are remotely exploitable," Young said. "This is a pretty standard mix of Web and file format vulnerabilities requiring some degree of user interaction or user error. It is also worth noting that there is no indication of any of the patched vulnerabilities being exploited prior to Patch Tuesday. This is the first time in 2015 that Microsoft has not reported detected exploitation for any bulletin."

Computer users in the US and UK have been advised by their respective governments to consider using alternatives to Microsoft's Internet Explorer browser until the company fixed a security flaw that hackers used to launch attacks (See: UK, US govts advise computer users to stop using IE till bug fixed).