October 15, 2015 By Douglas Bonderud 2 min read

October’s Patch Tuesday has come and gone, giving companies another set of Microsoft updates. According to CSO Online, this month is light overall, with only six security bulletins and no quality of life (QoL) improvements. But half of the bulletins are marked as critical and handle remote code exploits in Internet Explorer (IE), Edge, VBScript, Windows Shell and Office. And while many companies put off Tuesday installs until Microsoft works out the bugs, experts are warning this is one to deploy ASAP — better to have no treats than big security tricks.

What’s in the Bag?

As noted by Computerworld, the new patch addresses three critical problems: MS15-106, MS15-108 and MS15-109. First up is 106, which deals with memory handling vulnerabilities in MS Explorer. Fourteen memory issues with security permissions for JScript and VBScript in memory are targeted by the patch for IE 7 through IE 11. If left unpatched and exploited, these vulnerabilities could lead to remote code execution attacks. In the same vein as 106 is 108, which deals with four memory problems in Script and VBScript specifically and could also lead to remote code execution.

Last but not least is 109, which targets two privately reported vulnerabilities related to memory corruption and tablet component memory allocation issues. The other three updates are marked important and include fixes for Windows Edge, Office and the Windows Kernel. While some experts are hesitant about applying the kernel patch for fear of breaking more than gets fixed, the balance here favors immediately updating rather than waiting for the next iteration.

Patch Tuesday Encounters the Patch Problem

According to Tech Week Europe, 2015 set the record for the most bulletins released in a calendar year — and there are still two Patch Tuesday updates left. Although the newest crop of updates are higher priority than those in previous months, it’s no wonder some businesses are experiencing a kind of patch fatigue, which sees them habitually ignoring updates because the system is more or less working as intended.

But consider the recent problems of carmaker Volkswagen, which was hit by a firestorm of controversy after it was discovered the manufacturer’s emissions testing devices weren’t playing fair. While software patches alone handled some 30,000 of the issues, another 400,000 aren’t so easy to fix.

Put simply, the problem got away from VW; what could have been a quick fix turned into a massive public relations nightmare. The same goes for companies that hold off on critical patches and updates. At first, problems are rare or minor, and the threat of system-breaking fixes outweighs the benefit of closing security loopholes. Over time, however, small holes become big problems, and companies can find themselves stuck on the wrong side of the patch divide trying to find a way across.

October 2015 marks a big month for Microsoft: 111 bulletins were already released, compared to 2013’s previous high of 106 for the entire year. And while companies might be forgiven for thinking that this particular six-issue patch is more trick than treat, it’s worth applying before fall is in full swing and ghouls and ghosts come out to play. The numbers may be higher, but the threats aren’t just smoke and shadows: It’s better to be protected now than playing catch-up later.

More from

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts are…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today