Microsoft’s June security update includes 16 bulletins, five rated critical and the rest important. Thankfully, all’s quiet on the Adobe front.
Just kidding – there’s a zero-day Flash vulnerability for the third month in a row.
CVE-2016-4171 in the current version of Adobe Flash Player and earlier versions for Windows, Mac, Linux and Chrome could crash or allow the attacker to take control of an affected system. The Adobe advisory admits the flaw is being exploited in targeted attacks and will be addressed in its June security update, potentially dropping by the end of the week.
Critical updates to focus on from Microsoft are MS16-070 and MS16-071. The latter patches a Windows vulnerability (CVE-2016-3227) that could allow remote code execution via specially crafted requests sent to the DNS server. The update is critical for Windows Server 2012 and 2012 R2 and is especially dangerous to environments running the DNS server and Active Directory server on the same machine.
The Microsoft Office update (MS16-070) impacts several versions of the software as well as SharePoint Servers 2010 and 2013, Web Apps 2010 and 2013 and the Office Online Server. Microsoft notes CVE-2016-0025 contains an attack vector via Outlook’s preview pane and does not require a user to click in the contents of the email.
MS16-068 also resolves RCE-enabling flaws in Microsoft Edge and is rated critical for Edge on Windows 10. The bulletin includes fixes for eight vulnerabilities involving security feature bypass, memory corruption and information disclosure as well as RCE.
Three RCE vulnerabilities in JScript and VBScript are addressed in MS16-069, rated as critical on support Windows Vista versions and moderate on Windows Server 2008 and 2008 R2. The update modifies how the scripting engines handle objects in memory.
Other items to note from Microsoft, three important updates – MS16-075, MS16-077 and MS16-082 – include publicly disclosed vulnerabilities. MS16-076 contains a fix for a Windows Netlogon vulnerability that could allow RCE, but only if the attacker has control of the Active Directory server. Oh, and they bought LinkedIn.