Microsoft June Patch Tuesday Fixes 44 Vulnerabilities

[RV_]

I do my updates as soon as they are available manually and rarely read the after reviews. No issues with 8 systems updated. ( I finally sold one of the four tablets/computers I had for sale.) There is also a Flash update out today Thursday that can be had manually for Windows 7 and Vista folks, and for Windows 10/8.1/8 just do Windows updates again.

 

The updates were sent out last Tuesday, June 14, the second Tuesday of the month and fixed 44 vulnerabilities.

 

The details are below but the short version for those who don't like Techy Talk, do the updates soonest if you have not already. Windows 8 up are automatic for security updates, and the updates on Windows Vista and 7 can be done manually or refused.

 

Excerpt:

 

"Microsoft pushed out 16 bulletins on Tuesday addressing 44 different vulnerabilities in its software, including Windows, Exchange Server, Office, Edge, and Internet Explorer.

 

Five of the bulletins have been branded critical because each vulnerability associated with them could be used to carry out remote code execution; the remaining 11 are marked important.

 

According to experts, one of the more concerning critical fixes involves a use after free vulnerability that affects Microsoft Windows DNS server for Windows Server 2012 and 2012 R2. If an attacker sent a specially crafted request to a DNS server, they could convince it to run arbitrary code, Microsoft’s advisory warns.

 

“Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability,” Wolfgang Kandek, CTO at Qualys, warned Tuesday afternoon.

 

Microsoft fixed the issue by modifying how the servers handle requests. Users should update but since most Windows DNS servers don’t face the internet and most admins use them for internal traffic the issue shouldn’t be an immediate concern.

 

Another critical issue, MS16-070, affects Microsoft Office and could allow an attacker to run arbitrary code and take control of an affected system if the user was logged on with admin rights. An attacker could trigger an exploit merely by sending a Microsoft Word RTF file to a user. Microsoft acknowledges the preview pane is an attack vector and that the flaw could be triggered with a simple e-mail without user interaction.

 

If for some reason users can’t apply the patches for MS16-070 right away, as a workaround, Microsoft is encouraging users to use Office’s File Block policy to prevent Office from opening .RTF documents from unknown or untrusted sources.

 

Two more of the critical bulletins, cumulative security updates for Microsoft’s browsers Internet Explorer and Edge, address multiple remote code execution vulnerabilities.

 

In Edge, the browser’s Content Security Policy fails to properly validate some documents and the Chakra JavaScript engine has difficulty rendering when it handles objects in memory. According to Microsoft’s advisory a few vulnerabilities also exist with regard to how Edge parses .PDF files.

 

The Internet Explorer fixes mostly pertain to memory corruption vulnerabilities, especially in engines like JScript 9, JScript, and VBScript."

 

For the whole article on Threatpost, and links to related stories go here: https://threatpost.com/microsoft-june-patch-tuesday-fixes-44-vulnerabilities/118664/