Microsoft releases June patch targeting 34 flaws

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jabulani Leffall
 

Connecting state and local government leaders

By Jabulani Leffall

|

Microsoft today released 10 fixes in its June security update, with three deemed "critical" and seven considered "important" to patch.

Microsoft today released 10 fixes in its June security update, with three deemed "critical" and seven considered "important" to patch.

The June patch addresses 34 vulnerabilities — the most seen so far this year. Remote code execution (RCE) exploit considerations continue to be a prominent theme with this and other Microsoft patch releases. Six of the total patches are designed to plug RCE flaws. Meanwhile, three elevation-of-privilege fixes and one tampering risk make up the remainder of the June slate.

The systems affected by these patches include Windows, Microsoft Office, Internet Explorer and Internet Information Services. Also, with today's release, Microsoft will be closing out two security advisories. They include Security Advisory 983438 regarding a cross-site scripting vulnerability in SharePoint Server and Security Advisory 980088 that describes an information disclosure vulnerability in Internet Explorer.

"The crew in Redmond is kicking off the summer strong by fixing 34 vulnerabilities," said Rapid7 Security Researcher Josh Abraham. "One possible reason is that they foresee that next month they will be busy fixing vulnerabilities that are being released this summer at Black Hat/Defcon, as well as allocating resources to handle the transition of customers off of the versions of Windows that they are no longer supporting, which includes Windows 2000 and Windows XP SP2."

Critical Fixes

The fixes for the three critical vulnerabilities affect all Windows operating systems, including Windows 7. They should receive "top priority" from IT pros and Windows users, Microsoft recommends.

The first critical item resolves two privately reported vulnerabilities in Windows associated with vulnerabilities in media decompression programs. Microsoft is patching a handful of media products again this month, delivering hotfixes to ward off threats from video and audio files that could contain malware. Such patching follows a general trend. Microsoft patched DirectShow in February of this year and issued many patches to both DirectShow and GDI all through 2009. This item addresses every supported Windows OS.

Critical item No. 2 addresses two vulnerabilities that could allow remote code execution if a user views a specially crafted Web page that "instantiates a specific ActiveX control with Internet Explorer," Microsoft explained in the patch notes.

The third and final critical item affects Internet Explorer, covering IE versions 5.01, 6, 7 and 8 sitting on every Windows operating system currently in circulation. This fix resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in IE.

Andrew Storms, director of security operations at nCircle, said that in general, whenever Microsoft patches IE, it's the top priority to deploy the fix. He added that this rule-of-thumb approach is "doubly true" this month.

"Along with patching a previously disclosed bug, Microsoft is patching a number of other critical security issues in IE this month, including their Pwn2Own bug from CanSec West," he said. "Critical bugs are still being found in IE 8 and Windows 7, but they are harder to exploit because of Microsoft's mitigation technologies. The underlying bugs are still there, but IE protected mode, Windows DEP and ASLR make them much far less attractive to hackers."

Important Fixes

The first important item covers every supported Windows OS and resolves three bugs in the Windows kernel-mode drivers.

The second important item touches Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2. This bulletin deals with weaknesses in COM validations in Microsoft Office files. The patch is designed to fix a bug that could allow remote code execution if a user opens a specially crafted Excel, Word, Visio, Publisher or PowerPoint file with an affected version of Microsoft Office.

Important item No. 3 affects every supported OS and resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver.

The fourth important item covers the spreadsheet program Excel in Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2. Also, Excel running on the Mac OS is covered under this patch.

This bulletin is particularly unique because it addresses a staggering 14 privately reported vulnerabilities in Microsoft Office.

Important item No. 5 addresses vulnerabilities in Microsoft SharePoint. Among the three vulnerabilities to be patched, one is a cross-site scripting flaw that Microsoft described earlier in a security advisory issued at the end of April. Overall, this bulletin touches Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2.

The sixth important patch is another Windows patch affecting every OS except Windows 2000 and Windows XP. It addresses the frequently patched Internet Information Services (IIS) Web server application. The vulnerability in question here could allow an RCE attack "if a user received a specially crafted HTTP request," Microsoft explained.

The seventh and last important patch addresses a vulnerability in Microsoft .NET Framework. Microsoft describes the flaw as a "tampering" vulnerability that affects every supported Windows OS version.

All patches may require a restart.

Meanwhile, IT pros that actually still have time to look at nonsecurity updates from Microsoft can find them in this Knowledge Base article.

Abraham of Rapid7 and other security experts advise Windows enterprise customers to start reviewing their IT environments. They should access their management systems and verify that all Windows XP-based devices have been upgraded to Service Pack 3 and that all Windows 2000 devices have been replaced or removed from the network.

"The most critical area of weakness for many organizations is third-party devices that are still using these operating systems," Abraham said. "For these systems, customers will need to contact the vendor and verify the upgrade process."

NEXT STORY: DHS network policy puts systems at risk, IG finds

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.