Microsoft Patch Tuesday fixes 5 'Critical' security issues

by Mark Tyson on 11 March 2015, 10:45

Tags: Windows 7, Windows 8, Windows Vista, Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qacpui

Add to My Vault: x

This month's Patch Tuesday saw Microsoft serve up updates to fix the largest number of security flaws in recent months. Patches for five issues labelled as 'Critical' and nine rated as 'Important' are now going out via Microsoft's update channels, with all but two of the updates aimed at Windows. My PC has just finished the download and install of these patches.

Below is a brief rundown of the security-related updates deemed as Critical, from Microsoft's summary of the latest Patch Tuesday:

  • MS15-018: Cumulative Security Update for Internet Explorer, fixing remote code execution.
  • MS15-019: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution.
  • MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution.
  • MS15-021: Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution.
  • MS15-022: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.

In addition to the Critical flaws, MS15-031 is a fix worth noting as it is aimed at the cross-platform FREAK bug which all versions of Windows were vulnerable to. "The vulnerability could allow a man-in-the-middle (MiTM) attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected," explained Microsoft's summary.

The Factoring Attack on RSA-EXPORT Keys (FREAK) vulnerability, or CVE-2015-0204, is the latest flaw to be found in SSL/TLS that makes it possible for unauthorised parties to spy upon a user's supposedly secure internet communications. With the release of this patch, it means that Microsoft and Apple platforms are now secured from the bug. Google has developed a software update for Android but it requires hardware partners to push it out in most cases.

The remaining Patch Tuesday updates mostly affect Microsoft Windows, with one exception being a solution for an issue in Microsoft Exchange Server. Specific details on fixes of these minor issues can be found on Microsoft's bulletin summary page. It is also probably worth nothing that Microsoft will only be providing free updates for Windows Server 2003 for three further months.



HEXUS Forums :: 7 Comments

Login with Forum Account

Don't have an account? Register today!
2 hours later and it's still downloading….@ 16% downloaded. I think their servers are creeking with all the bandwidth to push this out, I've read on one website a user had 41 updates totalling 1.46Gb (of which 1.25Gb was for Office 2013). Urgh!
1.1gb here 1 gig of which was Office
365MB's of updates here including office…. I'll do it later though, I never do it on the day of release lol
Why don't Microsoft gives a patch to block GCHQ AND GOOGLE Spyware
and close the backdoor in windows which it knows about!!!!!!!
tomthum
Why don't Microsoft gives a patch to block GCHQ AND GOOGLE Spyware
and close the backdoor in windows which it knows about!!!!!!!

I'd love to see the CVE behind this claim.