Microsoft Patch Tuesday March 2015 Continued

( @ ZDNET) This month's Patch Tuesday was not supposed to be one of the biggest in recent memory, but it is, with 14 separate security-related updates going out via Microsoft's update channels. All but two of the updates are for Windows. (Depending on your OS, you'll find a large number of non-security-related updates as well. More details on those when I get them.)

Five updates (four for Windows and one for Office) are rated Critical. The remaining nine are rated Important, all for Windows except for a lone Exchange Server patch.

Two of the fixes are for vulnerabilities that have already been publicly disclosed. The good news for Microsoft's Security Response team is that they've cleared all open issues from the Google Project Zero list.

Here's a rundown of the security-related updates in this month's super-sized collection.

MS15-018 is a Cumulative Security Update that addresses an even dozen vulnerabilities and affects all supported versions of Internet Explorer. It includes the fix for a cross-site scripting vulnerabilitythat was publicly disclosed prior to February's Patch Tuesday but didn't make last month's fixes . Another fix is in response to a memory corruption vulnerability that has also been publicly disclosed, although the official CVE page hasn't yet been updated with details.

MS15-019 repairs a scripting vulnerability in some older Windows versions; it doesn't affect Windows 7 and later desktop versions or the equivalent server versions, Windows Server 2012 and 2012 R2.

 

MS15-020 fixes a flaw in the way Microsoft Text Services handles objects in memory and how Microsoft Windows handles the loading of DLL files. MS15-021 addresses an issue with the Adobe Font Driver. Both vulnerabilities could theoretically allow remote code execution, although Microsoft's summaries say that possibility is unlikely.

MS15-022 applies to all supported Microsoft Office versions (2007, 2010, and 2013), as well as the server-based Office Web Apps and SharePoint Server products. It fixes three known vulnerabilities in Office document formats as well as multiple cross-site scripting issues for SharePoint Server. The worst outcome allows remote code execution.

Eight of the remaining nine updates affect Microsoft Windows, with the exception being a fix for an issue in Microsoft Exchange Server.

One update resolves a problem with Windows Task Schedulerthat could allow a local user to bypass file access controls and run privileged executables. Another fixes a possible denial of service issue that only affects systems where Remote Desktop Protocol (RDP) is enabled. (By default, RDP is off on all Windows versions.)

And then there's MS15-031, which fixes the widely publicized (and cross-platform) Schannel vulnerability, more popularly known as the FREAK technique . This update (for all Windows versions) means Microsoft and Apple platforms are secured, while vulnerable Android versions have yet to be patched.

Systems with Internet Explorer 11 (which includes all Windows 8.1 installations) are also receiving an update to the built-in Flash Player code. The security issues fixed by this update are addressed in a separate bulletin, not yet available from Adobe.

In addition to the large number of security-related updates, you'll find a large number of Recommended updates. On a Windows 8.1 installation, I counted 16 separate updates, most of them small. As is customary (and frustrating), most of the associated Knowledge Base articles that explain the reason for each fix were not available hours after the updates themselves appeared on Windows Update.

Bottom line: Make sure you restart your computers and workstations this morning.