Security experts weigh in on Microsoft’s Patch Tuesday for September

It’s Patch Tuesday time again. Today Microsoft released 12 new security bulletins—five of which are rated as Critical. I reached out to security experts to get some insight on the latest batch of security updates and which ones deserve the most immediate attention.

With 12 new security bulletins the total for the year now stands at 105—and there are still three months left in 2015. Microsoft only released 85 security bulletins in 2014 and the 105 for this year is only one short of the total for 2013. The question is why are there so many more security bulletins this year and what is the rise in security bulletins a reflection of?

“The reason for such a significant increase in updates this year could be attributed to a variety of factors such as the launch of Windows 10 and other new Microsoft products but regardless of the reason, the now-restructured team at Trustworthy Computing is definitely staying busy,” declared Russ Ernst, director product management, HEAT Software (formerly Lumension). “And maybe even overwhelmingly so.”

The 12 security bulletins address a total of 56 separate vulnerabilities impacting a wide range of products and applications. The Critical security bulletins alone address issues with Windows Journal, Microsoft Graphics Component, and both Internet Explorer and the new Microsoft Edge browser. Interestingly there are two separate Critical updates that both deal with security flaws in Internet Explorer even though one of the two is a cumulative update.

According to Chris Goettl, product manager with Shavlik, five of the bulletins have vulnerabilities that have been publicly disclosed and one has been detected in exploits in the wild. Goettl stressed that any vulnerability that has been publicly disclosed is something you should pay close attention to, as public disclosure is an indicator of risk. Statistically these vulnerabilities are going to have a much higher chance of being exploited.

Goettl also noted, “It appears that the Windows 10 and Edge browser update are combined again this month. Although you will see Windows 10 as affected by bulletins MS15-094, MS15-095 (Edge), MS15-097, MS15-098, MS15-102 and MS15-105, there will be a single cumulative update for the six bulletins.”

Ernst recommends that you make the MS15-097 update your first priority. He says it fixes a total of 10 separate vulnerabilities in Microsoft Graphics components that impact Windows Vista, Windows Server 2008, Microsoft Lync and the 2007 and 2010 versions of Office.

Second on the list should be MS15-099. Ernst explains, “All versions of Office are impacted by this vulnerability which could allow a remote code execution if a user opens a malicious Office file. Excel for Mac and SharePoint Foundation and SharePoint Server 2013 could also be impacted.”

As always, security updates for Internet Explorer—and now for Microsoft Edge as well—should be treated as a high priority. There are often components of Internet Explorer security vulnerabilities that bleed into other areas of the Windows operating system and Microsoft applications and can put you at risk even if you don’t use Internet Explorer / Microsoft Edge as your primary browser.

Time to get patching!

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.