Patch Tuesday May 2015: Internet Explorer is this month’s problem child [update]

Update (16 May): It seems that the relatively uneventful May Patch Tuesday updates have sprung a last minute surprise, mainly courtesy of KB3046002, which causes 64-bit Windows 7 machines to hang after installation. Typical.

Although it might seem like a massive issue, the update itself addresses a Microsoft Journal issue. But there is a fix.

WindowsITPro suggests cutting power to the PC in question mid-install, which should get the cranks moving again. As it turns out, it seems that the update just doesn’t call home to Microsoft to tell it that it has installed properly, hence the hang.

There hasn’t been any news from Microsoft about the issue.

Another second Tuesday has passed, and another batch of critical updates have been issued by Microsoft. Welcome to Patch Tuesday. This month saw quite a few pushed by the Redmond technology company, totalling around 13 bulletins with three updates rated as critical.

It seems that chief offender this month was Internet Explorer.

Internet Explorer

Microsoft’s outgoing browser received a bumper 22 updates and bug fixes (MS15-043), which targets memory corruption exploits, VBScript holes and a few elevation of privileges issues.

Read more: Microsoft might be killing Internet Explorer, but it’s far from dead

Note, 14 of these are critical (thanks to the beauty of remote target execution) and affect all Internet Explorer versions from 6 through to 11 running on Windows Server 2003, Server 2008, Server 2012, Windows Vista, Windows 7, and Windows 8.x.

If you haven’t installed these yet, you should probably hit up Windows Update right about now. Of course, Internet Explorer wasn’t the only software suite to gain new armour this month.

GDI+ and the Windows font drivers

MS15-044 addresses issues in GDI+ — a common Windows API that’s usually responsible for rendering the likes of fonts on screen — which could also be remotely compromised. In this case, the OpenType and TrueType font rendering engines are at fault.

“The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts,” advises Microsoft.

Windows Journal

The final critical patch (MS15-045) comes courtesy of a Windows Journal flaw. It’s not utterly dire to those who don’t use Journal (practically everyone in existence), and two of the six updates are rated critical, but security firm’s Qualys’s Wolfgang Kandek does recommend the following:

Patch quickly and evaluate disabling Windows Journal (a notebook application). I do not know anybody who uses Windows Journal, so I would recommend following the workaround described in the advisory and neutering the file description”.jnl” to counter this and future attacks on this software.

What about Microsoft’s other software?

Microsoft Office has also received its fair share of updates this month, addressing (you guessed it) remote code execution. It’s particularly pertinent for those who regularly access World and Excel documents through emails.

“Both have as the attack vector e-mail attached documents that get sent to your user’s e-mail account in the expectation the documents get opened by their recipients,” notes Kandek.

There’s also particularly welcome update too for Microsoft’s older operating systems, allowing a smoother update to Windows 10, when the OS is eventually released to retail.

ZDNET’s Ed Bott notes that this month’s slew of Patch Tuesday updates is relatively small in size, weighing in at “under 200 MB on an otherwise up-to-date Windows 8.1 installation and under 250 MB for a system running Windows 7 plus Office.”

We’re practically skimmed the surface of what has been quite a bumper month for updates, but to have a glance through all the advisories issued by Microsoft, hit up the official link here to read about each update in detail.

We didn’t forget about you, Adobe

As for Adobe, it’s Flash Player and AIR runtime suites boast 18 plugged security holes, and if you’re wondering what version of Flash you should have, it’s 17.0.0.188.

At the time of writing, all updates issued on Patch Tuesday from Microsoft and Adobe are reportedly not affecting system stability, which is a welcome relief for such a large number of updates.

If you’ve experienced strange happenings after installing updates, let us know in the comments section below.

Feature image: Javier Aroche via Flickr

More

News

Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.