Historically, the Microsoft patch cycle for June has been quite light and this Patch Tuesday, with two critical and six important updates, is no exception. Internet Explorer has another complete refresh due to a set of memory corruption issues and we also see an update to Microsoft Office and Exchange. Two lower rated updates change some key low-level system files and will require some extensive testing, while the remaining patches can be included in a standard deployment cycle.
This month does see one little surprise -- one of the updates MS15-058 is missing. We might see a mid-month release or some very odd patching number for July.
MS15-056 — Critical
The first update rated as critical by Microsoft for this June Patch Tuesday is MS15-056 which attempts to resolve twenty-four memory corruption related security issues with another complete code refresh. The worst of these reported issues could result in a remote code execution scenario. This update also includes an update to the Microsoft IE Enterprise Mode and Site Discovery tool. The IE Enterprise mode and supporting tools allow IE11 users to emulate previous versions of Internet Explorer, in the attempt to prevent configuration and website compatibility issues. Compatibility was a key issue with the Windows 7 migration effort, and it may remain a significant challenge for the forthcoming enterprise Windows 10 migrations. We will see more updates to IE Enterprise Mode in the coming months as we near the release of Windows 10. MS15-056 is a key update that affects all currently supported versions of Microsoft Internet Explorer. Make this patch a priority for your June update deployments.
MS15-057 — Critical
The second critical update for June is MS15-057 which resolves a single security issue in Windows Media where a specially crafted website could allow a malicious attacker to take complete control over the compromised system. The patch manifest (list of updated files) for this update is relatively light and appears to only include updates to the core Windows Media system (including some configuration files). Going by previous experience, the dependency mapping for most applications is very light for Windows Media files. Basically, Windows Media does not interact with many applications and has a history of “playing nicely” when updated. Microsoft has rated this as a critical update, however, with a moderate exploitability index of 2 (exploitation unlikely) for recent software releases (i.e. Windows 8.x) it is best to include this update in your standard patch update cycle. If you are running older systems, you may want to deploy this patch on a quicker release cycle.
MS15-059 — Important
Curiously, this next update for this release cycle is not MS15-058 but rather MS15-059. There is a patch missing and the standard URL for MS15-058 points to a Microsoft placeholder page. MS15-059 is rated as important by Microsoft and attempts to resolve three memory corruption issues that may result in a remote code execution scenario. The update is actually broken down into three separate update packages (self-extracting EXEs) that update the original Office installation MSI Installer package. This is standard Microsoft practice, however if you are not using Microsoft Update across your organization or you using internally developed tools, you may have difficulty deploying this Office update. Include this in your standard testing patch update schedule but ensure that you are getting good telemetry from your deployment systems.
MS15-060 — Important
The first update rated by Microsoft as important is MS15-060 which attempts to resolve a single reported vulnerability that could lead to a remote execution scenario. This security patch updates the Microsoft Common Control library which consists of a single file (COMCTL32.DLL). This file is a key component of my Windows desktop applications, as this DLL file contains most of the libraries for the basic UI elements in an application, such as spin controls, sliders, radio buttons, and basic input functions. Historically, this was a very difficult system component to update or change and was frequently under change control restrictions for most enterprise workstation and server builds. Things are now a little different with Windows 8.x and this file has a much lower profile. If you are running some older Visual Basic applications, you will need some heavy testing before deployment of this patch. Otherwise, include it in your standard patch release cycle.
The next important update for June is MS15-061. This updates the low-level system Windows Kernel-mode drivers component in an attempt to resolve 11 reported security vulnerabilities that could lead to an elevation of privilege scenario. This is a key system file, and many previous updates have led to system level crashes (blue screen of death). Microsoft has given these reported issues a relatively high exploitation rating of 1 (exploitation more likely), making this update a priority, and includes some heavy testing of your core systems.
MS15-062 — Important
MS15-062 is the next important update for this June Patch Tuesday, which attempts to resolve a single reported XSS vulnerability in Active Directory. The patch manifest for this update appears quite light, and it looks like the overall profile of the changes are limited. Add this update to your standard deployment cycle.
MS15-063 — Important
MS15-063 is another important Microsoft patch that updates a single file (KERNELBASE.DLL). This update attempts to resolve a single report vulnerability that could lead to an elevation of privilege security issue. The single file updated by this patch is another key Windows component and has been linked to many application and system level crashes. Add this update to your standard update cycle, and include some unit testing with your currently deployed versions of Microsoft Office.
MS15-064 — Important
MS15-064 is the final update for June and is rated as important as it attempts to resolve three reported vulnerabilities, with the most severe issue potentially leading to an elevation of privilege scenario. This update only affects Microsoft Exchange Server 2013, however, it affects a large number of Exchange files and components. With a lower exploitation rating from Microsoft and large update profile, it is still worth adding this update to your cycle, but include time and resources for a significant testing effort.
This article is published as part of the IDG Contributor Network. Want to Join?