On 13th June, as part of our regular Update Tuesday schedule, Microsoft has released security updates for a total of 96 security vulnerabilities in its various Windows operating systems and software, including fixes for two vulnerabilities that have actively been exploited in the wild.
Out of 96 security vulnerabilities, 12% of these issues came through the ZDI (Zero-Day Initiative) program at some point. A total of 18 of these issues are rated Critical, 76 are rated Important, one is rated Moderate, and one is the rare Low severity rating. Some of these bugs were initially disclosed during this year’s Pwn2Own competition, but some bugs from the contest are still to be patched. Two of these bugs are under active attack while three are listed as publicly known.
If you remember, last month’s widespread WannaCry ransomware attack, that infected nearly 300,000 computers in more than 150 countries, forced Microsoft to release security updates against EternalBlue SMB exploit for unsupported versions of Windows, but the company left other three Windows zero-day exploits, leaked by the Shadow Brokers in April, unpatched. This month’s patch release also includes emergency patches for those three Windows hacking exploits.
The June 2017 Patch Tuesday brings patches for several remote code execution flaws in Windows, Office, and Edge, which could be exploited remotely by hackers to take complete control over vulnerable machines with little or no interaction from the user.
While two of the vulnerabilities have been exploited in live attacks, another three flaws have publicly available proof-of-concept (POC) exploits that anyone could use to target Windows users.
The three unpatched Windows exploits are codenamed as “EsteemAudit,” “ExplodingCan,” and “EnglishmanDentist.” EsteemAudit targets remote desktop protocol (RDP) service on Microsoft Windows Server 2003 and Windows XP machines, while ExplodingCan exploits bugs in IIS 6.0 and EnglishmanDentist exploits Microsoft Exchange servers. None of these exploits works on supported Windows platform.
According to the recent Microsoft blog post, the critical down-level patches for three Windows exploits were prompted by an “elevated risk of destructive cyber attacks” by government organizations, sometimes referred to as “nation-state actors or other copycat organizations.”
The security patches for Windows XP, Vista, and Server 2003 contain fixes for the above three end-of-support products. Unlike regular Patch Tuesday releases that delivered automatically through the Windows Update mechanism to your devices, these down-level patches must be downloaded and installed manually. These updates are available in the Microsoft Download Center or, in the Update Catalog, or you can find download links at the bottom of Security Advisory 4025685.
“Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies. Based on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly. As always, we recommend customers upgrade to the latest platforms. The best protection is to be on a modern, up-to-date system that incorporates the latest defense-in-depth innovations. Older systems, even if fully up-to-date, lack the latest security features and advancements,” Eric Doerr, general manager of the company’s Security Response Center, said in a separate blog post.
Meanwhile, Adobe has also issued security fixes for its most vulnerable software offerings, Flash Player and Shockwave Player, two programs most users would probably be better off without. The company addresses nine critical bugs in its Flash Player that could allow remote code execution, five of which are due to memory corruption and four are use-after-free conditions in the software.
Users running Chrome, Edge, and Internet Explorer 11 and later will get the update automatically from Google and Microsoft’s security teams, while other users should download the patches directly from Adobe.
Shockwave Player received a patch for a single remote code execution vulnerability in the Windows version of its software. Users should download version Shockwave Player 22.214.171.124 in order to protect themselves.