Microsoft’s advisory states: “The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website.“
Microsoft has rolled out six security updates this Patch Tuesday, out of which three are considered to be “critical,” while the rest are marked as “important.“
Bulletin MS15-106 is considered to be critical for Internet Explorer (IE) and affects absolutely all versions of Windows operating system.
The update addresses a flaw in the way IE handles objects in memory. The flaw could be exploited to gain access to an affected system, allowing hackers to gain the same access rights as the logged-in user.
A hacker could “take advantage of compromised websites, and websites that accept or host user-provided content or advertisements,” the advisory states. “These websites could contain specially crafted content that could exploit the vulnerabilities.“
Therefore, the dependency here is that an IE user must knowingly click on the malicious link, which then be leveraged by an attacker to get the full control over a computer that’s not yet running the patch.
So, users of Windows Vista, 7, 8, 8.1, and Windows 10 are advised to install this update as soon as possible.
And, if you have not yet patched your PCs against this flaw, just make sure you do not click any suspicious links or websites landing in your inbox.
The other two patch updates, MS15-108, and MS15-109, address other critical flaws in Windows.
Bulletin MS15-108 addresses four vulnerabilities including a Remote Code Execution (RCE)vulnerability in Windows. It resolves vulnerabilities in the VBScript and JScript scripting engines in Windows.
The third and last critical security update, MS15-109, also addresses Remote Code Execution (RCE) flaws in Windows as well as packages a security update for Windows Shell.
The vulnerability could be exploited if a user opens a specially crafted toolbar object in Windows, or an attacker tricks a user to view specially crafted content posted online.
The company also rolled out three other patches – MS15-107, MS15-110, and MS15-111 – to address vulnerabilities in Windows, Microsoft Edge browser, Office, Office Services and Web Apps, and Server. All these bulletins are marked as “important“.
All the updates are necessary, and we advise Windows users and administrators to install the new updates as soon as possible.
For the updates, you will have to follow the same method of downloading and installing the Windows update for your system.