Microsoft Patch Tuesday, June 2016

June's Patch Tuesday doesn't hold many surprises and is similar to the past several months with 17 bulletins and 36 unique CVEs in Microsoft products as well as an additional 37 CVEs patched in Adobe Flash. Six of these bulletins are ranked as Critical while the other eleven are rated Important.

On the Critical list, Internet Explorer and Edge are back as always they always are, but the ten vulnerabilities in IE and the eight patched in Edge pale in comparison to previous months and years. One of the Critical bulletins in the Microsoft DNS server could be bad if an exploit is released publicly. The same goes for the Critical Office bulletin that is likely to be reused in social engineering attacks if an exploit is made public.

The biggest hit this month isn't even in a Microsoft product, but in Adobe Flash. Since Flash is embedded in Microsoft's IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle in April. Last month 17 Critical vulnerabilities were patched in Flash and this month that count hits 37, more than all of the Microsoft vulnerabilities combined. Over the past two years, Flash has retained title of the most vulnerable and exploited piece of software installed on most systems. if you can't uninstall Flash completely I highly recommend a "click to play" Flash plugin. These are available for most web browsers and allow the user to choose what Flash content they want to see.

MS16-063
CVE-2016-0199, CVE-2016-0200, CVE-2016-3202, CVE-2016-3205, CVE-2016-3206, CVE-2016-3207, CVE-2016-3210, CVE-2016-3211, CVE-2016-3212, CVE-2016-3213
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.


MS16-068
CVE-2016-3198, CVE-2016-3199, CVE-2016-3201, CVE-2016-3202, CVE-2016-3203, CVE-2016-3214, CVE-2016-3215, CVE-2016-3222
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-069
CVE-2016-3205, CVE-2016-3206, CVE-2016-3207
Critical
Cumulative Security Update for Jscript and VBScript

This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for affected versions of the JScript and VBScript scripting engines on supported releases of Windows Vista, and Moderate on Windows Server 2008 and Windows Server 2008 R2.

MS16-070
CVE-2016-0025, CVE-2016-3233, CVE-2016-3234, CVE-2016-3235
Critical
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-071
CVE-2016-3227
Critical
Security Update for Microsoft Windows DNS Server

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

This security update is rated Critical for all supported releases of Windows Server 2012 and Windows Server 2012 R2

MS16-072
CVE-2016-3223
Important
Security Update for Group Policy

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-073
CVE-2016-3218, CVE-2016-3221, CVE-2016-3232
Important
Security Update for Windows Kernel Mode Drivers

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-074
CVE-2016-3216, CVE-2016-3219, CVE-2016-3220
Important
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-075
CVE-2016-3225
Important
Security Update for Windows SMB Server

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-076
CVE-2016-3228
Important
Security Update for Netlogon

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

This security update is rated Important for all supported editions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

MS16-077
CVE-2016-3213, CVE-2016-3236
Important
Security Update for Web Proxy Autodiscovery (WPAD)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system. To exploit the vulnerability, an attacker could respond to NetBIOS name requests for WPAD. The update addresses the vulnerability by correcting how Windows handles proxy discovery.

This security update is rated Important for all supported releases of Microsoft Windows.


MS16-078
CVE-2016-3231
Important
Security Update for Windows Diagnostic Hub

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

This security update is rated Important for all supported editions of Microsoft Windows 10.

MS16-079
CVE-2016-0028
Important
Security Update for Microsoft Exchange

This security update resolves vulnerabilites in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.

To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016.

MS16-080
CVE-2016-3201, CVE-2016-3203, CVE-2016-3215
Important
Security Update for Microsoft Windows PDF

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user. However, an attacker would have no way to force a user to open a specially crafted .pdf file.

This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

MS16-081
CVE-2016-3226
Important
Security Update for Active Directory

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

This security update is rated Important for all supported editions of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

MS16-082
CVE-2016-3230
Important
Security Update for Microsoft Windows StructuredQuery Component

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

This security update is rated Important for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

MS16-083
CVE-2016-4121, CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4126, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166
Critical
Security Update for Adobe Flash Player

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.