Patch Tuesday June 2016

It is Patch Tuesday June 2016, and Microsoft is coming out with 16 bulletins bringing fixing over 40 distinct vulnerabilities (CVEs). It brings up the half-year total to 81 which projects to a total of over 160 bulletins for 2016, a new record in terms of patches for the last decade.

But your primary attention should be on Adobe Flash. Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch.  In their advisory APSA16-03 they promise the  patch for the end of this week. Pay close attention to the release and address as quickly as possible. If you have EMET on your systems you are protected. By the way, this is the third month in a row that we are seeing a 0-day in Flash, making it most certainly the most targeted software on your organization’s endpoints.

Otherwise, there is a mix of client side and server side bulletins this month, so the whole IT team will have a workload this week to secure their systems.

The most interesting vulnerability on the server side is addressed in MS16-071. It fixes a single critical vulnerability in Microsoft’s DNS server. Successful exploitation yields the attacker Remote Code Execution (RCE) on the server, which is extremely worrisome on such a mission critical service such as DNS. Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.

On the client side the most important vulnerability is addressed in MS16-070, which fixes a number of problems in Microsoft Office. The most important vulnerability here is CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker. Since RTF can be used to attack through Outlook’s preview pane, the flaw is can be triggered with a simple e-mail without user interaction.

On the web browser side MS16-063 for Internet Explorer, MS16-068 for Edge and MS16-069 for Javascript on Windows Vista attend to a number of critical RCE vulnerabilities exploitable through simple web browsing. These vulnerabilities represent a favorite attack vector for cyber criminals and we recommend to address them with the next 7 days.

The remaining vulnerabilities are all rated important and typically can be used to elevate privileges once one has gained code execution on the machine, so they would be used in concert with a remote code execution as described above. The exception is MS16-076 which addresses a single flaw in Windows Netlogon that can provide RCE to the attacker – its severity is lower than for a normal RCE vulnerability because it requires that the attacker control the active directory server already.

There are two more vulnerabilities on the server side that are rated “important”:

• An elevation of privilege on the SMB server component in MS16-075
• A flaw in Microsoft Exchange in MS16-079 also resulting in elevation of privilege, some resulting from the Oracle Patch in their Outside-in library.

Overall this is a normal Patch Tuesday with one known 0-day, so special urgency monitoring for the upcoming Flash update. Patch the remainder according to your normal priorities, but pay special attention to the DNS server vulnerability as it is bound to attract some unwanted attention.