Microsoft fixes critical flaws in Internet Explorer and Office

sincity · April 16, 2015

Microsoft has patched four critical vulnerabilities that could have allowed attackers to carry out a remote code execution.

The fix was included in the latest "Update Tuesday" concerns vulnerabilities in Internet Explorer, Microsoft Office, Microsoft Graphics and HTTPS.sys that needed immediate patching.

The HTTP.sys patch repairs a flaw in Windows that would have allowed a remote code execution if an attacker sent a specially created HTTP request to an affected Windows system.

The Internet Explorer patch, meanwhile, closed a potential loophole for remote code executions built into specially crafted webpages. If successful the attacker would have gained same user rights from the website viewer, potentially a disastrous threat for those with admin rights.

Lastly, Microsoft fixed a Office vulnerability that could allow a remote code execution if the user opened a custom-built Microsoft Office file. Open a nefarious file would allow an attacker to run arbitrary code in the context of the current user and potentially gain access to admin rights.

Smaller fixes too

The final critical update concerns Microsoft Graphics where a remote code execution could have infected systems if the user visited a specially crafted website, opened a specific file or browsed to a directory containing a specialised Enhanced Metafile (EMF) image file. In this case, Microsoft stated that attackers wouldn't have been able to force users to do so and instead would have to persuade them via instant messages or emails.

Microsoft also issued various less critical fixes for Sharepoint Server, Task Scheduler and Windows that prevent attackers from compromising user accounts and applying changes. Another pair of patches fix disclosure flaws in Active Directory Federation Services and the .NET Framework whereas the final two patches repair problems in both Windows Hyper-V and XML Core Services.