Sergey Nivens - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Adobe Flash zero-day overshadows June 2016 Microsoft Patch Tuesday

Microsoft's June 2016 Patch Tuesday release is not the most important of the day according to experts, instead another Adobe Flash zero-day vulnerability gets the spotlight.

The second Tuesday of the month is reserved for Microsoft's Patch Tuesday releases and the Adobe patch release. Usually, the breadth of Microsoft products means at least one of those patches will be seen as the most important, but this month experts put an Adobe Flash zero-day vulnerability at the top of enterprise patch priorities.

In a security advisory for the vulnerability, Adobe described a Flash zero-day flaw that could "cause a crash and potentially allow an attacker to take control of the affected system," though Adobe claimed there have only been "limited, targeted attacks." However, Adobe will not be releasing a patch for this Flash Player zero-day until the end of this week.

Wolfgang Kandek, CTO at Qualys, said this patch should be the primary focus for IT administrators.

"Pay close attention to the release and address as quickly as possible," Kandek wrote in his blog. "By the way, this is the third month in a row that we are seeing a zero-day in Flash, making it most certainly the most targeted software on your organization's endpoints."

Tyler Reguly, manager of the Tripwire vulnerability and exposure research team (VERT), noted that "since Microsoft now releases security bulletins for Flash updates, we should expect to see an out-of-band bulletin later this month. Administrators should be aware of this and preparing for a potential rapid response to limit potential exploitation of this vulnerability."

Adobe also posted three security bulletins describing patches for Adobe DNG SDK, Adobe Brackets, Adobe Creative Cloud and Adobe ColdFusion. All of the vulnerabilities received Adobe's lowest rating except that for ColdFusion, which was described as being an "elevated risk" despite there being no evidence of an exploit in the wild.

On the Microsoft side of this June 2016 Patch Tuesday, there were 16 bulletins today, five of which were rated critical; the coming Flash zero-day patch is also expected to be a critical bulletin when it is released. The 16 Microsoft bulletins cover 44 total vulnerabilities, only 36 of which were unique.

MS16-063 and MS16-068 were the cumulative patch bulletins for Internet Explorer and Edge browser, respectively, and should always be at the top of the patch priority list along with MS16-069, which addressed critical vulnerabilities in the JavaScript and VBScript scripting engines in Windows. Kandek said "these vulnerabilities represent a favorite attack vector for cybercriminals."

Beyond those bulletins, Kandek suggested that the most important server side vulnerability is addressed by MS16-071, which targets a critical vulnerability in Microsoft's DNS server and can allow remote code execution (RCE) if an attacker sends specially crafted requests to a DNS server.

Kandek said this "is extremely worrisome on such a mission-critical service such as DNS. Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability."

On the client side, Kandek said the most important vulnerability was found in bulletin MS16-070, which gathered fixes for a number of problems in Microsoft Office.

"The most important vulnerability here is CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker," Kandek wrote. "Since RTF can be used to attack through Outlook's preview pane, the flaw is can be triggered with a simple e-mail without user interaction."

As far as the remaining bulletins, all rated as important, Reguly suggested administrators take note of MS16-077 because the elevation of privilege vulnerability in the Web Proxy Auto Discovery (WPAD) protocol looks to be the same as in a bulletin posted by US-CERT in May.

"This concept has been discussed in the past but is coming back to light now due to the generic top level domain (gTLD) program. This has created hundreds of new top level domains that may match previously used internal domain names," Reguly said. "This means that a WPAD query for proxy settings could possibly reach out to an external server, allowing an attacker to dictate proxy settings and man-in-the-middle your connection. If you're unsure of the gTLDs available and the domain name configured on your hosts, this is a critical patch to apply."

Reguly also found interest in MS16-075 and MS16-076, which are bulletins for an elevation of privilege vulnerability in the Windows SMB server and an RCE vulnerability in Netlogon, respectively.

Reguly said these bulletins "share a security update for the server platforms."

"This means one less patch to install in those environments," Reguly said. "It also addresses a couple of interesting vulnerabilities, particularly with MS16-075. The ability to forward authentication from one service to another is a particularly nasty flaw; however, Microsoft has indicated that the attacker must have authenticated access to the system, mitigating some of the risk."

Rounding out the remaining bulletins, there are updates for Windows Group Policy (MS16-072), Kernel-Mode Drivers (MS16-073), Microsoft Graphics component (MS16-074) and Windows Diagnostics Hub (MS16-078) that handle elevation of privilege vulnerabilities; updates for Active Directory (MS16-081) and Windows Search (MS16-082) to remediate denial of service flaws; a patch for an information disclosure bug in the Microsoft Exchange Server (MS16-079); and, a fix for an RCE issue in how Windows handles PDFs (MS16-080).

All of these bulletins should be handled during the normal course of patch processing.

Next Steps

Catch up on the May 2016 Patch Tuesday news.

Learn more about a Flash zero-day used in foreign ministry attacks.

Find out how the Angler exploit kit and Flash zero-days make malvertising more effective.

Dig Deeper on Microsoft Patch Tuesday and patch management