This month’s baseline of updates may give a false sense of security as most of Microsoft’s updates are only ranked as Important, but of the six Important updates, half of them have a CVSS of 9.3, indicating these updates are actually very severe. But with so few updates in this month’s bulletin, the challenge of prioritising these shouldn’t be as much of an issue compared to previous months.
Whilst not specifically a Microsoft Bulletin, KB3035583 has been released in this patch update, which is a pre-requisite for the Windows 10 “self-updating” mechanism, which will enable a user to upgrade to Windows 10 for free. This, of course, poses a risk for any company that cannot control the release of this patch. Installing this particular patch by accident can lead to users downloading and installing an unsupported operating system – before the IT department gets a chance to test their builds are compatible.
Those of you with a hawk eye will have noticed that there is a patch update missing – MS15-058. As we’ve seen in the past, this could be for a number of reasons such as the patch not being stable or ready for release. There’s the possibility that it could be a severe vulnerability that would require an out-of-band patch later in the month. Only time will tell as to why it’s missing. For the meantime, let’s take a look at each vulnerability in a little more detail.
There are only two Critical updates this month according to Microsoft, but as I mentioned above there are in fact a total of five bulletins that are ranked very high [9.3] by US-Cert using CVSS scoring. With that in mind, I certainly would make the first two updates of this month the first patches you install.
Similar to previous months, the first patch update is a cumulative update for Internet Explorer, fixing a total of 20 separate vulnerabilities. I’m sure it doesn’t come as a surprise that the most severe of these vulnerabilities could allow remote code execution – an attacker could take full control of a system, creating new user accounts with full admin rights. Patch MS15-056 first, ask questions later (well, once you’ve tested the patch before rolling it out).
The second Critical update is for Windows Media Player that, again, could allow remote code execution. MS15-057 is quite interesting in that it’s not often you see Media Player in the spotlight much. Whilst there’s only one vulnerability being fixed compared to the 20 for Internet Explorer, there’s still just as much reason to make sure you get this update installed.
The first of the Important updates is for Microsoft Office. MS15-059 covers two separate vulnerabilities that could allow remote code execution. US-Cert doesn’t see this as any less critical than the two updates above, but Microsoft does. I’d always side with US-Cert, in part because they are independently checking the updates whereas Microsoft is essentially self-certifying, but also because it really is better to be safe than sorry in these situations.
The second Important update and fourth update with a 9.3 CVSS, MS15-060, fixes Microsoft Common Controls vulnerabilities. A common control is a ‘child window’ that an application uses in conjunction with other windows to enable interaction with the user. The vulnerabilities being fixed can, once more, allow for remote code execution if a user opens a specially crafted Office file.
MS15-061 is the first patch update not scoring 9.3 on the CVSS scoring system, it’s score of 7.2 still reflects that it should be a concern, which exists in the Windows Kernel-Mode drivers. The other updates missing out on a 9.3 are MS15-062 and MS15-064, each being scored as 5.0. All three patch updates fix issues that could allow for elevation of privilege.
The final patch for June, MS15-063 fixes an issue in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker places a malicious .dll file in a local directory on the machine or on a network share. An attacker would then have to wait for a user to run a program that can load a malicious .dll file, resulting in elevation of privilege. However, in all cases an attacker would have no way to force a user to visit such a network share or website.
Below you’ll find this month’s patch updates ordered by how you should prioritise them according to US-Cert’s independent CVSS ratings. This month is relatively light so the roll out of the patches should be relatively straightforward and painless. Of course, it’s always pertinent to examine the patches and push them through testing before you roll them out across your IT estate, just in case there are compatibility issues.