The July 2015 Patch Tuesday is a surprisingly large update, with patches to Internet Explorer, Office, SQL Server and several key Windows components. In fact, these key file updates to core Windows components including GDI, Netlogon, RPC and OLE make this July patch release cycle a concern for organizations running older and legacy applications. As usual, the critical updates are a top priority, with a slight warning for some of the patches rated as important.
MS15-065
The first update rated as critical for this July Patch Tuesday is MS15-065, which attempts to resolve 29 reported vulnerabilities in total, across all currently supported versions of Microsoft Internet Explorer. This update to IE resolves numerous VBScript, JScript XSS and cross-domain, memory-handling security issues. There is also an overlap with the patch MS15-066 due to the common VBScript issues. As has often been the case, this update requires a full refresh of all IE-related DLLs and application files. Since Adobe has issued a significant update to its Flash software with several zero-day vulnerabilities, I would add this IE update to the top of my patch scheduling program.
MS15-66
The next update rated as critical by Microsoft is the VBScript update MS15-66, which attempts to address a single reported vulnerability in the Windows scripting component. This patch does not affect modern systems, and is limited to Windows 2003 and Server 2008 systems (and their associated core versions). This vulnerability relates to a specific type of Web-based attack that takes advantage of a memory-handling vulnerability in VBScript. I am not sure how many Server 2003 and 2008 systems are exposed to the Web (hopefully very few) but if your organization has a Web-facing 2003 or 2008 server, this is a "patch now" update.
MS15-067
The next update rated as critical for this Patch Tuesday is MS15-67, which attempts to resolve a single reported vulnerability in the Windows Remote Desktop Protocol (RDP) component. This update only applies to Windows 7 and Windows 8.x 32-bit machines, and exploiting the vulnerability requires a uniquely crafted series of network packets to be sent to a specifically targeted machine. By default, RDP is not enabled on Windows machines. Add this update to your standard patch deployment schedule.
MS15-068
The last update rated as critical for this July is MS15-068, which attempts to resolve two reported vulnerabilities leading to a remote code execution vulnerability in the Windows Hyper-V virtualization platform. This update affects the Windows 8, Server 2008 R2 and Server 2012 platforms. It updates a single core driver file (Storvsp.sys), which has been implicated in a number of BSOD crashes on server systems. I think that this patch may need some testing before full deployment.
MS15-058
The first update rated as important from Microsoft this July Patch Tuesday is MS15-058, which attempts to resolve a remote code execution vulnerability in Microsoft SQL Server. The patch attempts to resolve three reported vulnerabilities, and most likely has earned its important rating since specific database privileges (create and modify) are required to compromise a targeted system.
MS15-069
The important Microsoft patch MS15-069 attempts to resolve two reported vulnerabilities in how Windows handles the (now aging) RTF document file format. This particular vulnerability allows an attacker to swap an intended RTF (document or image file) for a DLL (source library file) which may then lead to a remote code execution scenario. This update affects Windows Vista, Windows 7, 8.x and Server 2003 and 2008 (excluding Itanium) servers. Add this update to your standard patch deployment schedule.
MS15-070
MS15-070 is rated as important by Microsoft, and attempts to resolve eight vulnerabilities in Office that could lead to a remote code execution scenario. All versions of Office from 2007 right up to Office 2013 and SharePoint Server 2013 are affected. This is another memory handling issue where Excel mishandles specially crafted binaries (XLS and XLM files). Add this update to your standard patch update schedule.
MS15-071
Update MS15-071 is an important patch to a key Windows component, Netlogon, which was previously updated this March with MS15-027 due to a potential spoofing attack. This update attempts to resolve a single vulnerability that has a relatively low exploit rating from Microsoft (3 - Exploitation Unlikely). Given that this is Microsoft’s second try at this, and the Netlogon service is critical (you can’t log on to your machine without it), I would wait a little while to see if there is an update to this patch. On the plus side, this update only updates a single file. If you have written custom code to handle user logons (i.e. application installations and configurations running as a user logs on) you may want to test your in-house applications before general deployment.
MS15-072
MS15-072 addresses a single reported vulnerability in the Windows graphics component (GDI32.DLL) that could lead to a remote code execution scenario where an unpatched system may fail to properly process some bitmap conversions. This update has a higher exploit rating (1 - Exploitation Likely) but I always hesitate before rolling out a core update like GDI32. If you are using intensive graphics applications like AutoCAD/Desk, you may well be advised to test your core business applications first.
MS15-073
Another core component of Windows is updated with MS15-073, which attempts to resolve six vulnerabilities in the Windows kernel mode driver. The worst of these security issues may lead to an elevation of privilege scenario where the attacker could log on to a targeted system and run a specially crafted file. These six vulnerabilities have a relatively moderate exploitation rating from Microsoft, and given the key nature of this Windows component, I suggest significant testing before full deployment of this update.
MS15-074
The next update is close to my heart (harking back to my desktop engineering days), as MS15-074 addresses a single vulnerability in the Windows Installer service (MSI Files) when handling certain custom action scripting within an installation package. As this is a core Windows service, all currently supported versions of Windows desktop and server platforms are affected. Custom actions are a key (and often misused) technology in packaging application installations and I am sure that this is not the last time we will see this kind of security issue. Add this update to your standard patch deployment schedule.
MS15-075
Another important update from Microsoft for July is MS15-075, which attempts to resolve two reported vulnerabilities with a high exploitability index from Microsoft (1 - Exploitation More Likely) that deal with an elevation of privilege security issue in another key Windows component: the Windows OLE sub-system. If compromised, a target system could run arbitrary code at a medium security level. Again, a single core Windows system file is updated (OLE32.DLL) but this is one of the most important DLL libraries for pre-modern applications (before Windows 8). If you are running legacy applications (think Visual Basic) for your core business, you will want to seriously test this update before general deployment.
MS15-076
The penultimate patch for July is MS15-076, which addresses a single vulnerability in the Windows Remote Procedure Call (RPC) Service, and is rated important by Microsoft. This is another core Windows system update, which left unpatched could lead to an elevation-of-privilege scenario. An attacker who successfully employed this exploit would have complete control over the targeted system. This is a pretty hefty update that includes changes to key system files such as the Kerberos (security and encryption), SChannel and Core Server systems. If you are running some disparate or massively complex multisystem (i.e. trading or banking system), I would seriously consider taking this update aside for low-level application unit-level testing.
MS15- 077
MS15-077 is the final update for July and another re-update from the March update cycle (see MS15-021) that attempts to resolve a single reported security issue that could lead to an elevation of privileges scenario. This is really an Adobe update with several key files from the Adobe Type Manager Font Driver (ATMFD), which was the source of a large number of BSOD crashes dating back to Windows 2000. As in previous cases, a single file is updated (ATMFD.DLL), which could cause some issues with legacy applications. If you have applications still hanging on from your Windows XP to Windows 7 migration, you may want to test this patch on those applications.
All these updates are interesting in their own individual technical spaces. We are seeing more updates from Microsoft each month, and with upcoming release of Windows 10 (which I’m reading as Microsoft 2.0), we are going to see multiple tracks of updates in the future. I expect that we may soon see the end of Patch Tuesday as a singular, monolithic system update, to be replaced with multiple customer-driven update cadences on weekly, monthly and multi-yearly rhythms.