Most RCE in Internet Explorer memory corruption bugs and the Microsoft Office use-after-free
Microsoft releases 11 Security Bulletins (MS15-032 through MS15-042) today, addressing a list of over 25 CVE-identified vulnerabilities for April of 2015. Critical vulnerabilities are fixed in Internet Explorer, Microsoft Office, and the network and graphics stacks. Most of the critical remote code execution (RCE) vulnerabilities reside in the IE memory corruption bugs for all versions of Internet Explorer (6-11) and the Microsoft Office use-after-free. updated: However, they appear to *almost* all be the result of private discoveries, at least, 24 of the 25. In reference to Office vulnerability CVE-2015-1641, “Microsoft is aware of limited attacks that attempt to exploit this vulnerability”.
The Microsoft Office CVE-2015-1649 use-after free is a critical RCE impacting a variety of software and scenarios. The vulnerable code exists across desktop versions Word 2007, 2010, the Word Viewer and Office Compatibility apps, but not Word 2013 or Word for Mac. It’s also critical RCE on the server-side in Word Automation Services on Sharepoint 2010 and Microsoft Office Web Apps Server 2010, but not SharePoint 2013 or Web Apps 2013.
As the new Verizon Data Breach 2015 report highlighted today, many exploits currently effective against targets are exploiting vulnerabilities patched long ago. According to their figures, many of the exploited CVE used on compromised hosts were published over a year prior. Microsoft provides Windows Update to easily keep your software updated, and Kaspersky products provide vulnerability scanners to help keep all of your software up-to-date, including Microsoft’s. Please patch asap.
From the heap of vulnerabilities and fixes rated “Important”, the Hyper-V DoS issue effects the newest Microsoft platform code: Windows 8.1 64-bit and Windows Server 2012 R2 (including the Server Core installation, which is fairly unusual). While the flawed code has not been found to enable EoP on other VMs within the Hyper-V host, attacked Hyper-V systems may lose management of all VMs in the Virtual Machine Manager.
Microsoft Security Updates April 2015
Evelyn
After reading your article I am extremely about vulnerability of Miscrosoft Office 2007 and 2010. My desktop computer with the MS Office 2010 was recently hacked. 98% of all my hard work has been stripped from my computer inlcuding recently 2014 Tax Returns that I had started with the intention of completing a couple of days later.
This episode started on 4/1/2025 i could load a simple program and saw a ICON on the desktop labeled “Driver Update”
which I accessed and installed. The nightmare began and is ongoing. None of any of my programs that have been loaded from “Trusted software programs” have completely vanished. My resumes that I was using to apply for employment have also vanished. I FEEL AS THOUGH I HAVE EVICTED FROM PLANET EARTH. i have Kaspersky 3.0 installed and scans my computer regularly as well as Microsoft. Why did this happen? What is a girl to do. Based on the damaged that has been done I believe that I am not the lonely ranger.. I am mad as hell. We are exposed to so many vulnerabilities that it is atrocious. Right now I do not have the funds to repair these issues. I am using an older Laptop computer in the meantime.. Isn’t there anything that you bright engineers can do to help the rest of us. Thanks for reading this.
mr x
emm don’t run random things that websites say will fix your computer antivirus software is only as good as its user for not falling for social engineering (site says you need to user runs it pc gets messed up), the problem is you may not understand what is “trusted software programs” is
recommended malwarebytes anti malware and malwarebytes anti exploit with Kaspersky but strongly recommend Quad core CPU system and at least 4GB of ram (Kaspersky is bit heavy on CPU)
or just do not run random things that sites say you need or click on random links that even Trusted people send you (they tend to be the most untrusted people as they open it mess there system up and it auto spams that bad link out to every one
daryl whitlock
I downloaded all the updates you mention yesterday, but progressively, my computer ran worse to the point of being non-responsive necessitating a system restore. Now, all the updates have “reappeared as available”, though the log shows them as installed.
Would appreciate direction on how to proceed. Also, tried to update Flash Player, but Windows (IE9) is preventing. Any info would be helpful as to how to proceed. Microsoft tech support was only interested in selling me more services rather than explain how your own products and updates have affected me. Thank you.