Microsoft have released 8 "critical" updates in the June edition of it's "update Tuesday".
Many of these patches should be implemented ASAP to avoid hackers compromising your computer. Certain vulnerabilities have been rectified which could see an intruder take control of your PC just by watching a video in Media Player...
The fact that these type of vulnerabilities are still being discovered and patched highlights the need for regimented updating of Windows PCs and Servers.
- MS15-056 A cumulative patch for Internet Explorer versions 6-11. It addresses 24 CVE-listed security flaws. Rated "critical" for remote code execution risks, but Windows Server installations are considered a lower risk as IE is rarely used with those systems. Discovery was credited to 16 researchers, including members of the HP ZeroDay Initiative, NSFOCUS Security Team and Palo Alto Networks.
- MS15-057 A Windows update to address a single flaw in Media Player for Windows Vista and 7 and Windows Server 2003 through 2008 R2. Opening a web page that plays a maliciously crafted video will trigger the bug, which can be exploited to hijack the PC. The bulletin is rated "critical" for remote code execution. Microsoft credited someone called bilou in spotting the vulnerability.
- MS15-059 This buletin addresses three CVE-listed vulnerabilities in Microsoft Office Compatibility Pack Service Pack 3, Office 2010, 2013, and 2013 RT. Remote code execution is possible, but the bulletin is only rated "important" as the user would need to manually open a maliciously crafted Office file. Discovery was credited to Ben Hawkes of Google Project Zero and Yong Chuan Koh of MWR Labs.
- MS15-060 A remote code execution flaw in the Microsoft Common Controls component for Windows Vista and later and Windows Server 2008 and later. Clicking on a malicious link and invoking the F12 Developer Tools in Internet Explorer will trigger the bug. The bulletin has been rated as "important" for all versions.
- MS15-061 A total of 11 CVE-listed vulnerabilities in the kernel-mode drivers for all Windows systems from Vista and Server 2003 and later. The bulletin is rated as "important" for information disclosure, denial of service and elevation of privilege risks. Microsoft credited researchers Guo Pengfei of Qihoo 360, KK of Tencent's Xuanwu LAB, Nils Sommer of bytegeist and Google Project Zero, Maxim Golovkin of Kaspersky Lab and the enSilo Research Team for spotting the vulnerabilities.
- MS15-062 An elevation of privilege vulnerability in the Active Directory Federation Services component for Windows Server 2008, 2008 R2, and 2012. Rated "important." Discovery credited to John Hollenberger and Tate Hansen from FishNet Security.
- MS15-063 An elevation of privilege vulnerability in the Windows kernel. The vulnerability applies to Windows Vista and later and Windows Server 2008 and later. The bulletin is rated as "important" and replaces MS14-019. Discovery was credited to Takashi Yoshikawa of Mitsui Bussan of Secure Directions, Inc.
- MS15-064 Three elevation of privilege vulnerabilities in Exchange Server 2013. Rated "important."
If you'd like more information, or help with the patching (or automation of) your computers or servers, please get in touch.