It's 2015 and hackers can hijack your Windows PC if you watch a web video
IE, Media Player, Office, and more, fixed in this month's security patch batch
Microsoft has released the June edition of its Update (neé Patch) Tuesday security update dump.
This month's bundle includes eight security bulletins, two rated "critical" and six rated "important." Users and administrators are advised to test (if necessary) and install the updates as soon as possible to prevent attacks.
- MS15-056 A cumulative patch for Internet Explorer versions 6-11. It addresses 24 CVE-listed security flaws. Rated "critical" for remote code execution risks, but Windows Server installations are considered a lower risk as IE is rarely used with those systems. Discovery was credited to 16 researchers, including members of the HP ZeroDay Initiative, NSFOCUS Security Team and Palo Alto Networks.
- MS15-057 A Windows update to address a single flaw in Media Player for Windows Vista and 7 and Windows Server 2003 through 2008 R2. Opening a web page that plays a maliciously crafted video will trigger the bug, which can be exploited to hijack the PC. The bulletin is rated "critical" for remote code execution. Microsoft credited someone called bilou in spotting the vulnerability.
- MS15-059 This buletin addresses three CVE-listed vulnerabilities in Microsoft Office Compatibility Pack Service Pack 3, Office 2010, 2013, and 2013 RT. Remote code execution is possible, but the bulletin is only rated "important" as the user would need to manually open a maliciously crafted Office file. Discovery was credited to Ben Hawkes of Google Project Zero and Yong Chuan Koh of MWR Labs.
- MS15-060 A remote code execution flaw in the Microsoft Common Controls component for Windows Vista and later and Windows Server 2008 and later. Clicking on a malicious link and invoking the F12 Developer Tools in Internet Explorer will trigger the bug. The bulletin has been rated as "important" for all versions.
- MS15-061 A total of 11 CVE-listed vulnerabilities in the kernel-mode drivers for all Windows systems from Vista and Server 2003 and later. The bulletin is rated as "important" for information disclosure, denial of service and elevation of privilege risks. Microsoft credited researchers Guo Pengfei of Qihoo 360, KK of Tencent's Xuanwu LAB, Nils Sommer of bytegeist and Google Project Zero, Maxim Golovkin of Kaspersky Lab and the enSilo Research Team for spotting the vulnerabilities.
- MS15-062 An elevation of privilege vulnerability in the Active Directory Federation Services component for Windows Server 2008, 2008 R2, and 2012. Rated "important." Discovery credited to John Hollenberger and Tate Hansen from FishNet Security.
- MS15-063 An elevation of privilege vulnerability in the Windows kernel. The vulnerability applies to Windows Vista and later and Windows Server 2008 and later. The bulletin is rated as "important" and replaces MS14-019. Discovery was credited to Takashi Yoshikawa of Mitsui Bussan of Secure Directions, Inc.
- MS15-064 Three elevation of privilege vulnerabilities in Exchange Server 2013. Rated "important."
Infosec biz Shavlik's Chris Goettl told The Reg today that there seems to be at least one patch missing from Tuesday's batch.
"June patches are just releasing and there is a placeholder, but currently there is no MS15-058 bulletin, which is interesting," Goettl said. "We will have to wait and see if anything comes of this, such as an out of band or a late drop."
Adobe is also releasing a scheduled security update. Their patch addresses 13 CVE-listed vulnerabilities in Flash Player for Windows, OS X and Linux systems. The update is being listed as a top priority for all three platforms. Users running AIR Desktop Runtime, AIR SDK and AIR for Android should also update, though those are considered to be a lower risk. ®