JJ'Studio - Fotolia
Microsoft today released its June Patch Tuesday updates, delivering a total of eight bulletins that address 45 unique vulnerabilities. The two updates marked "critical" -- one each for Internet Explorer and Windows Media Player vulnerabilities that could result in remote code execution -- are paired with six "important" updates affecting Microsoft Office, Windows and Exchange Server.
Wolfgang Kandek, CTO of Qualys, Inc., recommends addressing the IE issues as quickly as possible.
"All versions of IE and Windows are affected," Kandek wrote in a blog post. "Patch this first and fast."
Craig Young, a computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, based in Portland, Ore., agrees.
"Apart from the normal fixes to prevent memory corruption bugs, the June bulletins mention two interesting pieces of information about Internet Explorer security. CVE-2015-1765 seems to be a flaw allowing malicious Web content to access a user's browsing history. Although an attacker could almost certainly read the browsing history after exploiting any of the other dozens of vulnerabilities plugged this month, it seems likely to me that the information disclosure is going to be more easily exploited than any memory corruption bug.
"The other interesting IE bug is tracked as CVE-2015-1756, a use-after-free vulnerability within the Microsoft Common Control subsystem," Young continued. "This flaw presents an interesting attack vector for going after researchers using the Internet Explorer Developer Tools to analyze a malicious or malfunctioning website."
Besides IE, Kandek also recommends prioritizing MS15-059, which addresses a vulnerability in all current versions of Microsoft Office (2007, 2010 and 2013).
"The attacker needs to trick the target into opening a malicious file with Word or any other Office tool and can then take control of the target's computer," said Kandek. "Microsoft rates this bulletin as 'important,' but nevertheless we make it one of our higher priority patches. The fact that one can achieve RCE -- plus the ease with which an attacker can convince the target to open an attached file through social engineering -- makes this a high-risk vulnerability."
Young's recommendations are in line with Kandek's assessment.
"In general, everyone will want to apply the Internet Explorer patch and Office patch on all workstations and servers as soon as possible," Young said.
Young also suggests Exchange administrators focus on MS15-064 if their business uses Exchange Web applications. This flaw, rated "important," could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage.
The remaining critical bulletin, MS15-057, addresses a critical vulnerability in Windows Media Player that can be served by an attacker with a malicious media file which, if played by a victim, could give full system control to the attacker.
Additional important bulletins fix vulnerabilities in Windows Kernel and Active Directory Federation Services.
Researchers also noticed the hole in Microsoft's list this month; MS15-058 is "apparently not ready to be released," said Kandek.
"The lingering question right now is what will fill MS15-058," said Tyler Reguly, manager of security research at Tripwire. "Right now, that bulletin only contains the text 'Content Placeholder.' That could be a game changer in patch prioritization after many enterprise security teams have already developed their game plan. It may also mean that Microsoft is preparing to pull the update for additional quality testing. We'll have to wait and see."
Adobe patch releases
Separately, Adobe Systems Inc. today released bulletin APSB15-11, providing security updates for thirteen critical vulnerabilities in its Flash Player that could potentially allow an attacker to take control of a target system.
Kandek suggests prioritizing this patch.
"Adobe Flash is often abused by attackers due to its flexibility and programming power," Kandek said, "so make this patch a high priority to fix. If you run Google Chrome or IE 10/11, you have a bit less work as these browsers take care of the Flash patching for you. For other browsers -- such as Firefox or Opera or Safari on the Mac -- install the Flash patch by hand."
Among them, three updates fix use-after-free vulnerabilities; three fix same-origin-policy bypass issues; one improves memory address randomization of the Flash heap; and one each resolves stack overflow, integer overflow and memory corruption vulnerabilities.
These updates apply to Windows, Macintosh and Linux systems. Adobe urges users to update to the latest version of its Flash software: 126.96.36.199 for Windows and Mac Desktop runtime users, 188.8.131.522 for users of Adobe Flash Player Extended Support Release and 184.108.40.2066 for Linux users. Adobe Flash on Google Chrome will automatically update to 220.127.116.11 on Windows and Linux, and 18.104.22.168 on Macintosh. Adobe Flash Player installed with Internet Explorer on Windows 8.x will automatically update to 22.214.171.124.
A number of versions of Adobe AIR are also vulnerable. The company recommends Adobe AIR Desktop Runtime users update to 126.96.36.199 on Mac and 188.8.131.52 on Windows; Adobe AIR SDK and AIR SDK & Compiler should update to 184.108.40.206 on Macintosh and 220.127.116.11 on Windows; and Adobe AIR for Android should update to 18.104.22.168.
Adobe said it is not aware of any of these vulnerabilities being exploited in the wild.
Don't miss SearchSecurity's May Patch Tuesday coverage