Microsoft has released 14 security fixes as part of its latest Patch Tuesday release, including updates for its recently released Windows 10 platform, as well as old favourites Internet Explorer (IE), Office and Silverlight.
Four of the updates are marked 'critical', while the remaining 10 are marked 'important'. However, Microsoft urges users to update all the affected software immediately.
"An attacker who successfully exploited these vulnerabilities could gain the same rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights," said the advisory.
This flaw could allow a hacker to install programs, delete files or create new accounts with full user rights.
"Systems where Microsoft Edge is used frequently, such as workstations or terminal servers, are at the most risk from these vulnerabilities," Microsoft added.
Meanwhile the MS15-081 patch is a critical update to several vulnerabilities in Microsoft Office that affects Office 2007, 2010, 2013 and Office for Mac 2011 and 2016. This flaw allows remote code execution if a user is tricked into opening a specially crafted file via an email or web-based attack.
"In an email attack an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file," Microsoft said.
"In a web-based attack an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerabilities."
The 'critical' MS15-080 patch resolves vulnerabilities in Microsoft Windows, .NET Framework, Office, Lync and Silverlight.
"The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted web page that contains embedded TrueType or OpenType fonts," said the advisory.
MS15-079 fixes security flaws in IE, the most severe of which could allow remote code execution if a user is directed to a malicious web page using the browser.
This security update is rated 'critical' for all versions of IE, and the advisory explains that a hacker could target the user with malware and adware.
The remaining 10 patches, all classified as ‘important', contain fixes for Windows, Office and IE.
One update, MS15-085, addresses a bug in Mount Manager that could allow an elevation of privilege for attackers using a malicious USB stick.
"Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers," said the advisory.
Karl Sigler, threat intelligence manager at security firm Trustwave, explained that Windows 10 "fared rather well" in comparison with the rest of the software included in the batch of patches.
"Several of the bulletins that affect all other supported releases of Microsoft Windows don't include Windows 10. Of course, some of those patches could have been 'pre-baked' into Windows 10 before release last month," he said.
"The successor to IE patches four vulnerabilities, the most critical of which could result in remote code execution. Hopefully, the browser won't start following its predecessor's track record of dominating the patch cycle every month."
Microsoft issued a critical ‘out of band' security update for Windows last month after a vulnerability discovered following the Hacking Team data leak.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers