Patch Tuesday Tackles Browser Flaws Amid Another Adobe Zero-Day
Fixes for Edge and Internet Explorer, but admins warned to pay attention to serious Adobe Flash zero day
Microsoft has released its Patch Tuesday security update for June that contains 16 bulletins to tackle over 40 vulnerabilities with its software.
Internet Explorer, Edge, Windows, Exchange Server, and Office all receive Microsoft’s attention, but experts are warning system administrators to pay special attention to another zero-day flaw concerning Adobe Flash, which has yet to be patched.
DNS Server
The most interesting flaw for Qualys CTO Wolfgang Kandek concerns Windows DNS Server (MS16-071), which could allow for Remote Code Execution (RCE). He flagged this flaw as important to patch, as DNS is a core part of the IT infrastructure within many businesses.
“Successful exploitation yields the attacker Remote Code Execution (RCE) on the server, which is extremely worrisome on such a mission critical service such as DNS,” blogged Kandek. “Organisations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.”
But other pieces of Microsoft’s software are also vulnerable to RCE this month, the most important of which is MS16-070, which fixes a number of problems in Microsoft Office.
Microsoft’s Edge and Internet Explorer web browsers have also been patched. MS16-063 is for Internet Explorer, whilst MS16-068 is for Edge. MS16-069 meanwhile concerns Javascript on Windows Vista, which fixes a number of critical RCE vulnerabilities exploitable through simple web browsing.
“Don’t take off on that summer vacation just yet – Microsoft released another 16 security bulletins in today’s June Patch Tuesday and 5 of those are rated critical,” said Todd Schell at Heat Software.
“While there are quite a few updates to be made, both on the client and server side, across a broad range of legacy and current code, the good news is none of them are under active exploit,” said Schell. “To tackle the batch of needed June updates, you will likely want to start with the browsers.”
Adobe Zero Day
But a critical flaw with Adobe Flash is once again causing concern for security experts, especially as it is being actively exploited and a fix is not due out until Thursday.
“You will also want to pay close attention to another critical update, this time for Adobe Flash in APSA16-03,” said Heat’s Schell. “While not due out until June 16 according to the Security Incident Response Team, there are reports of active exploits for CVE-2016-4171. Windows, Mac, Linux and Chrome are all impacted.”
“…your primary attention should be on Adobe Flash,” warned Qualys’ Kandek. “Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch.”
“In their advisory APSA16-03 they promise the patch for the end of this week,” he said. “Pay close attention to the release and address as quickly as possible. If you have EMET on your systems you are protected. By the way, this is the third month in a row that we are seeing a 0-day in Flash, making it most certainly the most targeted software on your organisation’s endpoints.”
Are you a security pro? Try our quiz!