Microsoft now includes most of its system management applications in the Windows update process, and as a result we are seeing consistently large updates of more than 10 patches each month, compared to a historic average of around seven. With this August 2015 Patch Tuesday, Microsoft has released four critical updates and 10 important updates, that cover Internet Explorer, Office and key Windows desktop and server systems. In addition, we see the first security update to Microsoft’s new browser, Edge, in what must surely be a disappointing acknowledgment that Microsoft’s most recent, most secure Web browser needed a major security patch on its first Patch Tuesday.
MS15-079 — Critical
The first critical update for this August Microsoft Patch Tuesday is MS15-079, which relates to a remote code execution vulnerability in Microsoft Internet Explorer. This IE patch attempts to resolve 13 reported vulnerabilities, and as expected for these types of monthly IE refreshes, all of the IE-related binaries have been updated, requiring a complete reinstall and restart of all updated systems. This critical IE patch affects all currently supported versions of IE and should be a top update deployment priority.
MS15-080 — Critical
The next critical Microsoft update is MS15-080, which attempts to resolve 16 reported vulnerabilities in the core Windows Graphics component, which may lead to a remote code execution scenario if left unpatched. This is a pretty significant update to all supported versions of the Microsoft .Net framework and appears to refresh core components of the Windows Presentation Framework. In addition to updates to Adobe OpenType and Microsoft TrueType fonts, this patch also updates how Windows handles logoffs and Windows system/shell impersonation levels. Add this update to your standard patch deployment effort.
MS15-081 — Critical
The next critical update from Microsoft is MS15-081, which attempts to resolve eight reported vulnerabilities in Microsoft Office that could lead to a remote code execution security scenario. This update affects all currently supported versions of Microsoft Office, including Windows RT versions and the latest release of Office 2016 on the Mac. This Microsoft update addresses a number of memory corruption issues, of which at least one has been reported as publicly exploited. Add this Office update to your priority patch deployment effort.
MS15-091 — Critical
The final critical patch for this month’s Patch Tuesday is the very first Patch Tuesday update to Microsoft’s new Web browser, Edge, patch MS15-091. This patch to Edge attempts to resolve four memory corruption vulnerabilities that could lead to a remote code execution scenario if a user visits a specially crafted website. At present, Microsoft has not identified any mitigating factors or workarounds for this issue. If you have Windows 10, then you need to patch your new browser (Edge) now.
MS15-082 — Important
The first patch rated as important for this Patch Tuesday is MS15-082, which attempts to resolve two reported vulnerabilities in the Microsoft Remote Desktop Protocol (RDP) that could lead to a remote code execution security scenario. It is likely that this update is rated as important (rather than critical) because an attacker must place a specially crafted binary (DLL file) on the target system and then get the user to load another specially crafted application that will then subsequently load that initial malicious file over a RDP session. This two-step process definitely reduces the potential exploitability of these vulnerabilities. Add this update to your standard patch deployment effort.
MS15-083 — Important
MS15-083 is the next important update for Microsoft. It attempts to address a single reported vulnerability in the Server Message Block (SMB) networking protocol, which could lead to a remote code execution scenario when a Microsoft SMB server handles certain logging activities. Microsoft has documented a workaround for this vulnerability using the Extended Protection protocol, which can prevent this type of vulnerability and other man-in-the-middle (MITM) attacks. Add this update to your standard patch deployment program.
MS15-084 — Important
The next important update for August is MS15-084, which attempts to resolve three vulnerabilities in the key Windows component XML Core Services, which if left unpatched, could lead to a remote code execution security scenario. Add this update to your standard patch deployment program.
MS15-085 — Important
MS15-085 is an important update from Microsoft that addresses a single reported vulnerability that could lead to an elevation-of-privilege scenario in the Windows Mount Manager subsystem through the insertion of a USB drive with a malicious executable on it. Add this update to your standard patch deployment program.
MS15-086 — Important
MS15-086 is an important Microsoft patch to the Microsoft Systems Center Operations Manager application that could lead to an elevation-of-privilege scenario. This is a pretty standard patch to the system engineer's console with a low-impact profile that only affects Microsoft System Center 2012. Please add to your standard IT update deployment program.
MS15-087 — Important
MS15-087 is an important update to the Microsoft Universal Description, Discovery and Integration (UDDI) Web server components. Though the UDDI system component is currently supported in Windows Server 2008, Microsoft closed its UDDI services node in 2006, so the utilization of this server component is likely to be very low. Add to your standard IT deployment program.
MS15-088 — Important
MS15-088 is an important update from Microsoft that attempts to resolve a single reported vulnerability that involves a two-step exploit and a corresponding two-step patch process. This Microsoft patch attempts to resolve an exploit where an unsafe command line could be passed to another Microsoft application like Notepad or Office to create an information disclosure security scenario. This update has a dependency on the successful installation of two other updates from this month's patch cycle: MS15-079 and MS15-081. This is an odd update that affects all currently supported versions of Microsoft desktop and server platforms. Microsoft has posted a workaround that limits the privileges of IE but I am not sure how scalable this solution is, since it will not work for Office components. This update will require some testing prior to deployment.
MS15-089 — Important
MS15-089 is an important update that resolves a single reported vulnerability to the Microsoft Web Distributed Authoring and Versioning (WebDAV) server component that affects all currently supported versions of Windows Server. Since this patch refreshes a single file (WEBCLNT.DLL) and WebDAV is very little used these days, you can add this patch to your standard IT deployment effort.
MS15-090 — Important
MS15-090 is an important update that attempts to resolve three publicly reported vulnerabilities in Windows that could lead to an elevation-of-privilege scenario. This is a hefty patch with broad coverage of a number of key Windows components and a very large file manifest. If you are running later versions of Microsoft server or desktop platforms (Server 2012 and Windows 8.x), then your exploitation exposure is very low. Older systems are more vulnerable. If you are running older systems (Server 2003 and 2008), then make this patch a priority. Given the large update profile, some testing for key business systems would be prudent for modern systems.
MS15-092 — Important
The final important update for this August Patch Tuesday is MS15-092, which attempts to address three reported vulnerabilities in the Microsoft .Net Framework Version 4.6 that could lead to an elevation-of-privilege scenario. The exploitability index of this vulnerability is pretty low, since an attacker would have to convince a targeted user on a vulnerable system to click on a specially crafted file. Add this update to your standard patch deployment program. This patch only affects .Net Version 4.6, and so if you are running older systems, this patch will not apply to your environment.