Skip to main content
it helpdesk support

Patch Tuesday Report for April 14, 2015

Patch Tuesday Report for April 14, 2015

April 14, 2015

It’s another Patch Tuesday, and today Microsoft released 11 bulletins, four of which are rated as Critical and 7 rated as Important, that address a total of 26 vulnerabilities. All four critical security updates resolve remote code execution (RCE) vulnerabilities. The associated KB articles have been published, and we want to give you a quick heads-up about what to expect for this patch cycle.

This month’s updates including a list of security fixes in a cumulative update for Internet Explorer as well as an important patch for an Office exploit that already being used in limited attacks in the wild. The Office update is worth applying immediately. Those with a cautious approach to updates might want to wait a few days to see whether any of this month’s crop cause problems.

Summary for Patch Tuesday April 14, 2015:

For Microsoft Products, there are a total of eleven bulletins, with four of them fixing Remote Code Execution holes in Microsoft Windows, Office, Internet Explorer, and Microsoft Graphics Component; three address Elevation of Privilege in Microsoft Windows, and SharePoint; one addresses a Denial of Service vulnerability in Windows Hyper-V; one addresses Security Feature Bypasses in and XML Core Services; and two address Information Disclosure in Active Directory Federation Services (ADFS), and .NET Framework.

There are also security updates for Adobe Flash Player and Oracle Products such as Java, MySQL, and Oracle Fusion Middleware.


Bulletin ID:MS15-032

Cumulative Security Update for Internet Explorer (3038314)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer 


Bulletin ID:MS15-033

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: May Require Restart
Affected Software: Microsoft Office


Bulletin ID:MS15-034

Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: Requires Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-035

Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: May Require Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-036

Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)
This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow elevation of privilege if an attacker sends a specially crafted request to an affected SharePoint server. An attacker who successfully exploited the vulnerabilities could read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser.
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: May Require Restart
Affected Software: Microsoft Server Software, Productivity Software


Bulletin ID:MS15-037

Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (3046269)
This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited the vulnerability could leverage a known invalid task to cause Task Scheduler to run a specially crafted application in the context of the System account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Does Not Require Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-038

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. To exploit these vulnerabilities, an attacker would first have to log on to the system.
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Requires Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-039

Vulnerability in XML Core Services Could Allow Security Feature Bypass (3046482)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a user clicks a specially crafted link. In all cases, however, an attacker would have no way to force users to click a specially crafted link; an attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.
Maximum Severity Rating and Vulnerability Impact: Important
Security Feature Bypass
Restart Requirement: May Require Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-040

Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3045711)
This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.
Maximum Severity Rating and Vulnerability Impact: Important
Information Disclosure
Restart Requirement: May Require Restart
Affected Software: Microsoft Windows


Bulletin ID:MS15-041

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010) 
This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.
Maximum Severity Rating and Vulnerability Impact: Important
Information Disclosure
Restart Requirement: May Require Restart
Affected Software: Microsft Windows, Microsoft .NET Framework


Bulletin ID:MS15-042

Vulnerability in Windows Hyper-V Could Allow Denial of Service (3047234) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an authenticated attacker runs a specially crafted application in a virtual machine (VM) session. Note that the denial of service does not allow an attacker to execute code or elevate user rights on other VMs running on the Hyper-V host; however, it could cause other VMs on the host to not be manageable in Virtual Machine Manager.
Maximum Severity Rating and Vulnerability Impact: Important
Denial of Service
Restart Requirement: Requires Restart
Affected Software: Microsoft Windows

We'll take care of every detail.

Even if you don't know exactly what you need, our experts make it easy to talk about your project and work out the requirements. We'll quickly help frame it up and add some structure so it can be properly estimated and ultimately developed and delivered.