Like an elderly Eskimo unable to keep up with the group, Microsoft has placed their last Patch Tuesday Security Advisory on the proverbial ice float and pushed it out to sea (it may soon be joined by Flash). The pending Windows 10 release slated for the end of July will introduce a new method for rolling out Microsoft security updates, mimicking device update cycles and pivoting to “Windows as a Service.”
Speaking at Microsoft’s Worldwide Partner Conference, the head of the Windows and Device Group Terry Myerson said, “We’re going to let consumers opt into what we’re calling ‘rings.’ Some consumers just want to go first. And we have consumers that say, ‘I’m okay not being first.’” The “rings” Myerson refers to signify the speed with which you’ll receive updates: fast for those who can update immediately; slow for those who want code more tested by time.
Microsoft will have (at least) two rings for Current Branch (CB)—the update track generally geared toward Windows 10 Home users. Windows 10 Pro and Enterprise users will also likely have (at least) two rings in Current Branch for Business (CBB). Additionally there is a Windows Insider track (with however many rings, bells, and whistles) for early, early adopters. Between the various branches and rings and their staggered releases, it all comes out to a 16-month active lifespan for one build.
Naturally, there’s more questions than answers on how this will all play out. Are there other rings? Do they have a Tron-esque glow of an alternate arcade game universe? Will Microsoft continue their woodland branding scheme with patching nymphs? Rolling updates and letting customers decide their update practice sounds like a good idea, but, like any change, it’s sure to send shockwaves through an industry that has grown accustomed to the monthly cycle.
So without further ado: your final fix.
Pure, uncut patch info
Microsoft has released 14 security bulletins in its July Security Advisory, with four critical patches for remote code execution fixes.
The hard stuff
MS15-065 contains fixes for 28 Internet Explorer flaws. The most severe vulnerabilities could allow remote code execution via specially crafted webpages in IE, giving the attacker the same user rights as the current user.
MS15-065 also contains a patch for CVE-2015-2425, which has been publicly disclosed and exploited. This vulnerability was likely included in the Hacking Team data leak, which disclosed a number of previously unreported vulnerabilities. No mitigating factors or workarounds are available for this vulnerability or the majority in MS15-065. So patch—patch now.
MS15-066 is the next critical bulletin, fixing a VBScript memory corruption vulnerability (CVE-2015-2372). MS15-067 resolves a Windows vulnerability (CVE-2015-2373) that could be exploited if the Remote Desktop Protocol (RDP) server service is enabled, which by default is not. A successful exploit could result in denial of service or an attacker could gain complete control of the affected system.
The last of the critical bulletins is MS15-068 contains patches for flaws in Windows Hyper-V. Vulnerabilities CVE-2015-2361 and CVE-2015-2362 could allow “remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V.” Another qualifying factor to this exploit is the attacker “must have valid login credentials for a guest virtual machine.”
Something a little mellower
MS15-058, mysteriously absent from last month’s Patch Tuesday, has emerged in the July security update, fixing SQL Server flaws. The vulnerabilities could allow elevation of privileges (CVE-2015-1761) or remote code execution (CVE-2015-1762 and CVE-2015-1763).
MS15-069 and MS15-070 also contain fixes for remote code execution vulnerabilities rated as important. One Microsoft Office memory corruption vulnerability (CVE-2015-2424) is has been exploited in the wild but is not known to be publicly disclosed.
Other important bulletins contain patches for vulnerabilities which could allow elevation of privilege. MS15-077 patches a Windows vulnerability (CVE-2015-2387) by correcting memory object handling in Adobe Type Manager Front Driver (ATMFD). Microsoft stated it “was aware of limited, targeted attacks that attempt to exploit this vulnerability.” A workaround is also available.