A few months ago, we saw the end of Oracle JAVA Plugin support, and now we see the end of QuickTime with the call to remove it from your systems. If only we could get rid of Adobe Flash.
For this June Patch Tuesday, we won’t see an update to Adobe Flash from Microsoft, but we may see an update from Adobe later this month. With 16 updates for June, we already have enough to worry about. Microsoft has released five critical updates and the remaining 11 patches are rated as important, covering a total of 44 vulnerabilities.
This month looks like a pretty straightforward update cycle, with some very targeted updates from Microsoft which should have a low to moderate risk for deployment.
MS16-063 — Critical
MS16-063 is the first update for this June Patch Tuesday and is also the missing update from last month. This patch for Internet Explorer (IE) combines a number of fixes for XSS and JavaScript vulnerabilities and addresses ten vulnerabilities that could lead to a remote code execution scenario for all currently supported versions of IE. As we do not see any publicly disclosed vulnerabilities for IE this month, add this update to your standard patch deployment effort.
MS16-068 — Critical
MS16-068 addresses eight vulnerabilities for Microsoft Edge that includes changes to the Chakra JavaScript engine and the way PDF files are generated in Microsoft's latest browser. The worst of these security issues could lead to a remote code execution scenario where an attacker could obtain the same security privileges as the logged in user. Add this update to your standard patch effort.
MS16-069 — Critical
MS16–069 is a Windows update to JavaScript that only affects Windows Vista and versions of Server 2008. This patch replaces MS16-053, which was a critical patch for May 2016. MS16-069 address three privately disclosed vulnerabilities that could lead to a remote code execution scenario. Microsoft has documented a workaround that involves setting restrictions on key JavaScript and VBScript libraries (DLL’s) -- which I think everyone should ignore. Add this update to your standard server deployment effort. Note: this update will require a server restart.
MS16-070 — Critical
MS16-070 attempts to address four privately reported memory handling related vulnerabilities in Microsoft Office, that if left unpatched could lead to a remote code execution scenario for all currently supported versions, including server and Web App components. This is another standard patch to your normal update plan, but note that some servers will require a restart.
MS16-071 — Critical
MS16-071 is the final critical update for this June update cycle. This fix addresses a single, privately reported remote code execution vulnerability in the Microsoft DNS Server component that only applies to Windows Server 2012 R2. Add this update to your standard server patch effort.
MS16-072 — Important
The first important update from Microsoft is MS16-072. It addresses a single, privately reported vulnerability that affects all currently supported versions of Windows (including Server Core) that if left unpatched, could lead to a man-in-the-middle type attack. The payload for this update appears to be low risk, so add this patch to your standard update process.
MS16-073 — Important
MS16-073 is an update to the kernel mode driver patch we saw in May with MS16-062. If left unpatched, three privately reported vulnerabilities could lead to an elevation of privilege security scenario that could affect all currently supported versions of Windows (desktop and server).
Although this update only replaces a single file (Win32k.sys), it is a vital system component. However, with the relatively lower associated risk of these reported vulnerabilities, I suggest waiting a short while before full production deployment
MS16-074 — Important
MS16-074 is really a combined update of two previous GDI and Adobe Font handling issues (MS16-026 and MS16-055) released early this year. This latest update attempts to address three privately reported vulnerabilities that at worst could lead to an elevation of privileges scenario (only for the logged on user). This patch affects all currently supported versions of Windows and, due to its low level nature, could affect a number of applications. We have seen updates to the Adobe font manager cause a number of BSOD issues with patches over the years, and so it may be prudent to wait a few days before full production roll-outs.
MS16-075 — Important
MS16-075 addresses a single privately reported vulnerability in the Windows Shared Folders (SMB) Server that applies to all currently supported versions of Windows and could lead to an elevation of privilege scenario if -- and only if -- a user logs onto the target system and executes a specially crafted application. Add this update to your standard patch deployment effort.
MS16-076 — Important
MS16-076 is a relatively straightforward update to the Windows Netlogon component that addresses a single privately reported vulnerability. Add this update to your standard patch deployment schedule.
MS16-077 — Important
MS16-077 attempts to address two reported vulnerabilities (one publicly reported) in the Web Proxy Auto Discovery (WPAD) protocol. This patch is also an update to two previous Windows 10 cumulative updates (3156387 and 3156421).
Before you deploy this patch, I recommend that you read the associated Microsoft Knowledge Base article (KB3165191) as you may see some behavior changes with NETBIOS after you deploy this update.
MS16-078 - Important
MS16-078 is solely a Windows 10 update and it addresses a single, privately reported vulnerability in the Windows Diagnostic Hub (the new Windows 10 telemetry app). Add this to your standard Windows 10 deployment effort.
MS16-079 — Important
MS16-079 addresses a single privately reported vulnerability in how the Oracle Outside In technology handles memory in Microsoft Exchange. This update may change how the online web service (OWA) behaves and therefore may require some additional testing before deployment in larger OWA environments.
MS16-080 — Important
MS16-080 addresses three privately disclosed vulnerabilities in the Windows PDF stack. This patch only applies to Windows 8.x, Server 2012 Rx and Windows 10. Add this update to your standard patch deployment effort.
MS16-081 — Important
MS16-081 addresses a single privately reported issue in Microsoft Active Directory which could lead to a denial of service scenario. Add this update to your standard patch effort.
MS16-082 — Important
MS16-082 addresses a single privately reported issue in the desktop and server version of Windows Search. This Microsoft patch updates a single file (Structuredquery.dll) which when modified should have a minimal impact on your application portfolio. Add this update to your standard patch deployment effort.