Update2: Microsoft released a critical bulletin MS15-078 for a font problem that affects all versions of Windows and allows Remote Code Execution. Microsoft credits Google’s Project Zero, Fireeye and TrendMicro. TrendMicro indicates that the vulnerability came out of the HackingTeam data breach. Google’s entry for the bug indicates that they are aware of exploit code avaliable in the wild, which explains Microsoft’s out-of-band release. Patch as quickly as possible.
Update: Oracle’s CPU July 2015 fixes the 0-day vulnerability CVE-2015-2590 in Java reported by Trend Micro. We recommend treating this patch with high priority. Note: if you think you cannot use new Java due to requirements for old versions, have you looked at Oracle’s deployment rulesets?
Original: When we started preparing internally for July’s Patch Tuesday, we debated what the biggest issue of the month would be. Two parties emerged, we were split in the middle between end-of-life of Windows Server 2003, and the mystery vulnerability MS15-058 that Microsoft did not release last month. Well, it turns out both parties were wrong: the biggest issues this month are the multiple 0-days in Adobe Flash.