Microsoft released 16 security bulletins for June, five of which are rated critical for remote code execution (RCE) vulnerabilities. Even the MSRC team doesn’t seem too excited over this month’s patches, as the entire Patch Tuesday announcement is a mere three sentences.
FYI: You should be keeping an eye out for the Adobe Flash Player patch, as Adobe issued a security advisory warning of a Flash exploit being used in the wild for targeted attacks. The fix for Flash is expected to be released on Thursday, June 16.
MS16-063 is the monthly cumulative fix for Internet Explorer.
MS16-068 is the cumulative security update for Edge.
MS16-069 is the cumulative patch for Jscript and VBScript.
Qualys CTO Wolfgang Kandek advised deploying the three patches three listed above within the next seven days, since they represent “a favorite attack vector” for cyber thugs.
MS16-070 closes holes in Microsoft Office. The most troublesome vulnerability, according to Kandek, is “CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker. Since RTF can be used to attack through Outlook’s preview pane, the flaw is can be triggered with a simple email without user interaction.”
MS16-071 resolves a vulnerability in Windows, specifically Windows DNS Server. Kandek called this “the most interesting vulnerability.” He added, “Successful exploitation yields the attacker remote code execution on the server, which is extremely worrisome on such a mission-critical service such as DNS. Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.”
The biggest batch of “important” patches are meant to resolve elevation of privilege flaws, although two address RCE bugs, which is where we’ll start.
The EoP fixes include:
MS16-072 is a security update for Windows Group Policy. Microsoft wrote, “The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.”
MS16-073 closes three holes in Windows kernel-mode drivers; two are Win32k EoP bugs, which are a result of the kernel-mode driver failing to properly handle objects in memory. The third is an information disclosure flaw that “exists when Windows Virtual PCI virtual service provider (VSP) fails to properly handle uninitialized memory.”
MS16-074 addresses bugs in Microsoft Graphics Component. Microsoft lists three specific vulnerabilities: two for EoP and one for information disclosure.
MS16-075 resolves a flaw in Windows SMB Server by “correcting how Windows Server Message Block (SMB) Server handles credential forwarding requests.” Please note that Microsoft warned this vulnerability has been publicly disclosed, but it has not yet been exploited.
MS16-077 addresses vulnerabilities in Windows that could allow EoP “if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.”
MS16-078 is the fix for a vulnerability in Windows Diagnostic Hub. The patch corrects “how the Windows Diagnostics Hub Standard Collector Service sanitizes input to help preclude unintended elevated system privileges.”
MS16-079 addresses vulnerabilities in Microsoft Exchange Server that allow information disclosure “if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.”
Denial of Service:
MS16-081 patches a flaw in Active Directory that could allow denial of service “if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability, an attacker must have an account that has privileges to join machines to the domain.”
MS16-082 applies a fix to a vulnerability in Windows Search Component. It has been publicly disclosed, although Microsoft said it is not currently being exploited.
That’s it for the first Patch Tuesday of the summer. Happy patching!