Microsoft Patch Tuesday Fixes Edge Browser, Again

Microsoft has delivered a wide range of fixes to a number of its products, in its Patch Tuesday update for September.

The update includes fixes for Windows and Office, as well as the Internet Explorer. But perhaps surprisingly, the new Edge web browser received its second major security update as well.

Critical Patches

The update in September saw the release of 12 Microsoft security bulletins, five of which are critical.

“With this month’s patch load, we can count 105 updates released so far this year which is only one update short of the total number of bulletins released back in 2013. We have already far-exceeded last year’s total of 85,” said Russ Ernst, director product management, HEAT Software (formerly Lumension).

“The reason for such a significant increase in updates this year could be attributed to a variety of factors such as the launch of Windows 10 and other new Microsoft products but regardless of the reason, the now-restructured team at Trustworthy Computing is definitely staying busy,” said Ernst.

According To Ernst, the update addresses 56 vulnerabilities, and one of the most important is MS15-097 which fixes 10 vulnerabilities in Microsoft Graphics components that impact Windows Vista, Server 2008, Microsoft Lync and the 2007 and 2010 versions of Office. Ernst said that one of these vulnerabilities, CVE-2015-2546, is under active attack and impacts Office.

The second most important update is MS15-099, which is also rated as a critical update. All versions of Office are impacted by this vulnerability which could allow a remote code execution if a user opens a malicious Office file.

The critical-rated MS15-094 should also be applied as it affects Internet Explorer.

Heavy Patching

“We are three quarters through the year and have broken the 100 bulletin mark with this month’s 12 additions,” said Qualys CTO Wolfgang Kandek.

“We are now projecting over 145 bulletins until the end of the year, a bit higher than our initial projection from May when said we would be seeing just over 140 bulletins this year,” Kandek said. “New products are responsible for the increase, with holes in Microsoft’s new Edge browser responsible for four new updates this month alone.”

“However, this is the first month with no update for Adobe Flash since October 2013,” Kandek added.

“The best word to describe this month is probably vanilla,” commented Tyler Reguly, manager of security research at Tripwire. “There’s nothing overly fancy or impressive that stands out in the list of updates, it’s the usual flavoir that we see month after month without anything exception or unique in the list.”

“The September ‘Patch Tuesday’ listing is rather tame by comparison to some of the exotic bugs we saw fixed over the summer,” added Tripwire’s security researcher Craig Young. “The four memory corruption bugs addressed in the second round of patches for Microsoft Edge however did catch my interest.

“We have a dramatically lower CVE count in the Edge bulletin compared to the IE bulletin,” Young said. “This is likely a consequence of how proficient researchers have become with fuzzing IE and may change as researchers revamp their toolkits to target Windows 10 and specifically Edge.”

What do you know about Windows 10? Try our quiz!