Internet Explorer (IE) – also available in Windows 10 as an app under Windows Accessories - could allow remote code execution if a user views a specially crafted webpage.
IE is generally the default browser on all Windows desktops and servers apart from Windows 10 where it defaults to its new Edge Browser that is not affected.
Microsoft has acknowledged FireEye, HP, Trend Micro, and Verisign for discovering the flaw.
In its main patch release for October it also released two other patches MS15-108 and MS15-109 that addressed critical remote code execution vulnerabilities in JScript and VBScript, and a security update for Windows Shell to address remote code execution.
Users of earlier Windows versions should go to Windows Update and check – these versions allowed for manual checking and installation.
For Windows 10, patches usually automatically enabled. Users can check this by going to Start, settings, Update and Security, and select Windows update and check for updates. If this screen does not read, “Available Updates will be downloaded and installed automatically” you are advised to select the Advanced Option and enable this security feature.
Some media delighted in using headlines like ‘Be very afraid” and similar. Fact is that Microsoft’s cloud based auto-update system allows it to download patches as quickly as they are available.
Let’s look at a bit of history - from modern to ancient.
Windows 10 has 35 known vulnerabilities – the vast majority are not critical. All have been patched via auto-updates without fanfare or fever pitched Windows 10 bashing. Sure, more will be found over its lifetime.
Windows 8.1 had 175 vulnerabilities. Windows 8 had 227. I would point out that these two operating systems were launched in the Ballmer era when by ‘hook or by crook’ a touch solution was to be launched in a difficult period. It is said that Microsoft gets it right on the third attempt – that is W10.
Windows 7 had 486 vulnerabilities yet it is still considered the most stable desktop made. The issue here is that many users elected not to enable auto-updates. In corporate use, many sys admins turned auto-update off in order to assess the potential impact of patches that come out regularly on ‘Patch Tuesday’. But they have far stronger security measures to counter attack – or should have.
Windows Vista actually only had 73 vulnerabilities – It was a radical change from XP and paved the way for Windows 7.
Windows 10 is safer but you should still run a commercial paid program with safe surfing and anti-phishing capacities like Norton Security et al. These generally protect better than free programs.
Apple Mac users should not throw stones – it has had hundreds of vulnerabilities that Apple has fixed.
In the end it all depends whether the vulnerabilities are actually exploited by cyber-criminals. Quick action by Microsoft stopped that.