October’s Patch Tuesday has come and gone, giving companies another set of Microsoft updates. According to CSO Online, this month is light overall, with only six security bulletins and no quality of life (QoL) improvements. But half of the bulletins are marked as critical and handle remote code exploits in Internet Explorer (IE), Edge, VBScript, Windows Shell and Office. And while many companies put off Tuesday installs until Microsoft works out the bugs, experts are warning this is one to deploy ASAP — better to have no treats than big security tricks.

What’s in the Bag?

As noted by Computerworld, the new patch addresses three critical problems: MS15-106, MS15-108 and MS15-109. First up is 106, which deals with memory handling vulnerabilities in MS Explorer. Fourteen memory issues with security permissions for JScript and VBScript in memory are targeted by the patch for IE 7 through IE 11. If left unpatched and exploited, these vulnerabilities could lead to remote code execution attacks. In the same vein as 106 is 108, which deals with four memory problems in Script and VBScript specifically and could also lead to remote code execution.

Last but not least is 109, which targets two privately reported vulnerabilities related to memory corruption and tablet component memory allocation issues. The other three updates are marked important and include fixes for Windows Edge, Office and the Windows Kernel. While some experts are hesitant about applying the kernel patch for fear of breaking more than gets fixed, the balance here favors immediately updating rather than waiting for the next iteration.

Patch Tuesday Encounters the Patch Problem

According to Tech Week Europe, 2015 set the record for the most bulletins released in a calendar year — and there are still two Patch Tuesday updates left. Although the newest crop of updates are higher priority than those in previous months, it’s no wonder some businesses are experiencing a kind of patch fatigue, which sees them habitually ignoring updates because the system is more or less working as intended.

But consider the recent problems of carmaker Volkswagen, which was hit by a firestorm of controversy after it was discovered the manufacturer’s emissions testing devices weren’t playing fair. While software patches alone handled some 30,000 of the issues, another 400,000 aren’t so easy to fix.

Put simply, the problem got away from VW; what could have been a quick fix turned into a massive public relations nightmare. The same goes for companies that hold off on critical patches and updates. At first, problems are rare or minor, and the threat of system-breaking fixes outweighs the benefit of closing security loopholes. Over time, however, small holes become big problems, and companies can find themselves stuck on the wrong side of the patch divide trying to find a way across.

October 2015 marks a big month for Microsoft: 111 bulletins were already released, compared to 2013’s previous high of 106 for the entire year. And while companies might be forgiven for thinking that this particular six-issue patch is more trick than treat, it’s worth applying before fall is in full swing and ghouls and ghosts come out to play. The numbers may be higher, but the threats aren’t just smoke and shadows: It’s better to be protected now than playing catch-up later.

More from

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers.A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords for…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants also…

The One Place IT Budget Cuts Can’t Touch: Cybersecurity

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? Probably not. Gartner predicts that end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years. And the market is anticipated to reach $267.3 billion in 2026. Many security professionals agree that security spending cuts aren’t likely. Given the current threat landscape, strong security has quickly become a business imperative. Security has become the highest…