June 2015 Patch TuesdayJune is the month when summertime begins in earnest. Kids celebrate their brief liberation from “pencils, books and teachers’ dirty looks,” and travelers flee to the seashore or the mountains on their annual vacations. We who live in the southern U.S. cranks up our air conditioners in spite of the effect on our utility bills, in an attempt to escape the dreaded summer heat.

But for IT pros, there is no escaping the inevitable: the security patches just keep on coming. This month, Microsoft did take pity on us and gave us a relatively light load; we only have eight updates to worry about this time and only two of them are rated critical.

Along with the omnipresent cumulative update for Internet Explorer, we have five updates for the Windows operating systems, one for Office and one for Exchange Server.  Four of them address remote code execution vulnerabilities and the other four address elevation of privilege issues.

You also might note that a number is skipped in this month’s updates. MS15-058 is missing. Apparently that one wasn’t ready in time for Patch Tuesday release.

For more detailed information about all of these updates, please see the June Security Bulletin Summary on the Microsoft website at https://technet.microsoft.com/library/security/ms15-jun


MS15-056 (KB3058515)

This is a cumulative update for Internet Explorer that addresses a hefty slate of 24 vulnerabilities. It affects all currently supported versions of IE: 6, 7, 8, 9, 10 and 11 running on all currently supported versions of the Windows client and server operating systems, including RT.  The Windows Technical Preview (Windows 10) and Windows Server Technical Preview are also affected.

Twenty of the 24 vulnerabilities are memory corruption issues that can be exploited to accomplish remote code execution, so this is probably the most important patch of this batch.  The others pertain to elevation of privilege, information disclosure and security bypass.  Microsoft has not published workarounds or mitigations for any of them.

The update fixes the problems by changing the way IE handles objects in memory, adding more permission validations and preventing browser histories from being accessed by malicious sites.

MS15-057 (KB3033890)

This is an update for Windows Media Player that addresses one remote code execution vulnerability in the Windows component. It affects WMP versions 10, 11 and 12, running on Windows Vista, Windows 7 and Windows Server 2003, 2008 and 2008 R2. The rating is critical for all affected versions and operating systems.  Windows 8, 8.1, RT/RT8.1 and Server 2012/2012 R2 are not affected.

The problem stems from the way WMP handles specially crafted DataObjects. The DataObject class implements a basic data transfer mechanism. For those unable to install the patch, Microsoft has provided instructions for a workaround that involves removing wmplayer.exe from the Internet Explorer Elevation Policy by editing the registry. Instructions for the workaround can be found at https://technet.microsoft.com/library/security/MS15-057

The update fixes the problem by changing the way WMP handles DataObjects.


MS15-059 (KB3064949)

This is an update for Microsoft Office that fixes multiple vulnerabilities. It affects Office 2007, 2010, 2013 and 2013 RT, and is rated important across all versions.  It also affects the Office Compatibility Pack Service Pack 3.

The vulnerabilities addressed include two memory corruption vulnerabilities and an uninitialized memory use vulnerability, and exploits could result in remote code execution.  However, a user would have to be convinced to open a specially crafted malicious file. Microsoft has published a workaround for both of the vulnerability types, one of which requires editing the registry while the other involves using the Microsoft Office File Block policy. Full instructions can be found at https://technet.microsoft.com/library/security/MS15-059

The update fixes the problems by correcting how Microsoft Office handles files in memory and by correcting how Microsoft Office parses specially crafted files.

MS15-060 (KB3059317)

This is an update for the Common Controls component in Windows that fixes one use-after-free vulnerability. Common Controls is a set of windows that are implemented by the common control library, Comctl32.dll, which is a DLL included with the Windows operating system. It affects most currently supported versions of the client and server operating systems, including Vista, Windows 7, 8/8.1, RT 8.1, and Windows Server 2008, 2008 R2, 2012 and 2012 R2. Windows Server 2003 is not affected, but server core installations are.

The problem is that when the Common Controls accesses an object in memory that hasn’t been correctly initialized or has been deleted, an attacker can exploit the vulnerability and gain the same user rights as the logged on user.  Microsoft published a workaround for this one that involves disabling Internet Explorer Developer Tools by editing the registry. You can find the full instructions at https://technet.microsoft.com/library/security/MS15-060.

The update fixes the problem by correcting how Windows handles objects in memory.

MS15-061 (KB3057839)

This update addresses 11 vulnerabilities in the Windows kernel-mode drivers. It affects all currently supported versions of the Windows client and server operating systems, including the server core installations.

Most of these vulnerabilities can allow for elevation of privilege and this is the most serious potential impact. These include use-after-free, null pointer deference, buffer overflow and memory corruption issues.

There is also an information disclosure issue with one of the vulnerabilities, by which an attacker could request the contents of specific memory addresses due to improper handling of the buffer elements under certain conditions. The good news is that the attacker has to have valid logon credentials and be able to log on locally in order to exploit it.

The update fixes these problems by correcting how the Windows kernel-mode driver handles objects in memory and validates user input.

MS15-062 (KB3062577)

This update addresses one vulnerability in the Active Directory Federation Services (AD FS). It affects SD FS versions 2.0 and 2.1 in Windows Server 2008, 2008 R2 and 2012.

This is an XSS (cross site scripting) vulnerability that happens when a user visits a compromised website and a specially crafted script is not properly sanitized. This could allow the attacker to run a script that elevates privileges. Microsoft has published a workaround that involves using a web application firewall to block suspicious requests. An example of how to do so can be found at https://technet.microsoft.com/library/security/MS15-062

The update fixes the problem by changing the way AD FS handles the HTML encoding of HTML responses.

MS15-063 (KB3063858)

This is an update that addresses one vulnerability in the Windows kernel, specifically in the LoadLibrary component. It affects the following Windows client operating systems: Windows Vista, Windows 7, 8, and Windows RT, as well as Windows Server 2008, 2008 R2, and 2012, including the server core installations. It does not affect Windows 8.1 and RT8.1 or Windows Server 2012 R2.

This is an elevation of privilege vulnerability that occurs when the LoadLibrary doesn’t properly validate user input. Microsoft has not published any workarounds or mitigations for this vulnerability.

The update fixes the problem by changing the way Windows validates user input.

MS15-064 (KB3062157)

This is an update to address three vulnerabilities in Microsoft Exchange Server. It affects Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 8. It does not affect previous versions of Exchange.

These vulnerabilities include a server-side request forgery vulnerability, a cross-site request forgery vulnerability and an HTML injection vulnerability. All are rated important. Microsoft has not published any workarounds or mitigations for any of these vulnerabilities.

The update fixes the problems by changing the way Exchange web applications manage same-origin policy, how they manage user session authentication and how they sanitize HTML strings.