Microsoft releases June patch targeting 34 flaws
Microsoft today released 10 fixes in its June security update, with three deemed "critical" and seven considered "important" to patch.
The June patch addresses 34 vulnerabilities — the most seen so far this year. Remote code execution (RCE) exploit considerations continue to be a prominent theme with this and other Microsoft patch releases. Six of the total patches are designed to plug RCE flaws. Meanwhile, three elevation-of-privilege fixes and one tampering risk make up the remainder of the June slate.
The systems affected by these patches include Windows, Microsoft Office, Internet Explorer and Internet Information Services. Also, with today's release, Microsoft will be closing out two security advisories. They include Security Advisory 983438 regarding a cross-site scripting vulnerability in SharePoint Server and Security Advisory 980088 that describes an information disclosure vulnerability in Internet Explorer.
"The crew in Redmond is kicking off the summer strong by fixing 34 vulnerabilities," said Rapid7 Security Researcher Josh Abraham. "One possible reason is that they foresee that next month they will be busy fixing vulnerabilities that are being released this summer at Black Hat/Defcon, as well as allocating resources to handle the transition of customers off of the versions of Windows that they are no longer supporting, which includes Windows 2000 and Windows XP SP2."
The fixes for the three critical vulnerabilities affect all Windows operating systems, including Windows 7. They should receive "top priority" from IT pros and Windows users, Microsoft recommends.
The first critical item resolves two privately reported vulnerabilities in Windows associated with vulnerabilities in media decompression programs. Microsoft is patching a handful of media products again this month, delivering hotfixes to ward off threats from video and audio files that could contain malware. Such patching follows a general trend. Microsoft patched DirectShow in February of this year and issued many patches to both DirectShow and GDI all through 2009. This item addresses every supported Windows OS.
Critical item No. 2 addresses two vulnerabilities that could allow remote code execution if a user views a specially crafted Web page that "instantiates a specific ActiveX control with Internet Explorer," Microsoft explained in the patch notes.
The third and final critical item affects Internet Explorer, covering IE versions 5.01, 6, 7 and 8 sitting on every Windows operating system currently in circulation. This fix resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in IE.
Andrew Storms, director of security operations at nCircle, said that in general, whenever Microsoft patches IE, it's the top priority to deploy the fix. He added that this rule-of-thumb approach is "doubly true" this month.
"Along with patching a previously disclosed bug, Microsoft is patching a number of other critical security issues in IE this month, including their Pwn2Own bug from CanSec West," he said. "Critical bugs are still being found in IE 8 and Windows 7, but they are harder to exploit because of Microsoft's mitigation technologies. The underlying bugs are still there, but IE protected mode, Windows DEP and ASLR make them much far less attractive to hackers."
The first important item covers every supported Windows OS and resolves three bugs in the Windows kernel-mode drivers.
The second important item touches Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2. This bulletin deals with weaknesses in COM validations in Microsoft Office files. The patch is designed to fix a bug that could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file with an affected version of Microsoft Office.
Important item No. 3 affects every supported OS and resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver.
The fourth important item covers the spreadsheet program Excel in Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2. Also, Excel running on the Mac OS is covered under this patch.
This bulletin is particularly unique because it addresses a staggering 14 privately reported vulnerabilities in Microsoft Office.
Important item No. 5 addresses vulnerabilities in Microsoft SharePoint. Among the three vulnerabilities to be patched, one is a cross-site scripting flaw that Microsoft described earlier in a security advisory issued at the end of April. Overall, this bulletin touches Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2.
The sixth important patch is another Windows patch affecting every OS except Windows 2000 and Windows XP. It addresses the frequently patched Internet Information Services (IIS) Web server application. The vulnerability in question here could allow an RCE attack "if a user received a specially crafted HTTP request," Microsoft explained.
The seventh and last important patch addresses a vulnerability in Microsoft .NET Framework. Microsoft describes the flaw as a "tampering" vulnerability that affects every supported Windows OS version.
All patches may require a restart.
Meanwhile, IT pros that actually still have time to look at nonsecurity updates from Microsoft can find them in this Knowledge Base article.
Abraham of Rapid7 and other security experts advise Windows enterprise customers to start reviewing their IT environments. They should access their management systems and verify that all Windows XP-based devices have been upgraded to Service Pack 3 and that all Windows 2000 devices have been replaced or removed from the network.
"The most critical area of weakness for many organizations is third-party devices that are still using these operating systems," Abraham said. "For these systems, customers will need to contact the vendor and verify the upgrade process."
Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.