This month’s Patch Tuesday can be considered lighter than last month’s, with only eight security bulletins released for June. Of the eight, two are considered Critical while the remaining are rated Important.
Just like last month, there is a critical, cumulative update for Internet Explorer. MS015-056 aims to resolve vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. According to the bulletin, the patch addresses the vulnerability by:
- Preventing browser histories from being accessed by a malicious site
- Adding additional permission validations to Internet Explorer
- Modifying how Internet Explorer handles objects in memory
The first bullet point above is worth paying attention to. Previously, it was possible for an attacker who lured a victim to a malicious (or compromised) web site and access the user’s browser history. Obviously, many users would find this disclosure somewhat troubling. This vulnerability has now been patched, and there are no indications it was exploited in the wild.
The second critical update addresses a vulnerability found in Windows, specifically Windows Media Player (MS015-057). The vulnerability could allow remote code execution if a specially crafted file is opened in Windows Media Player. The remaining six patches address vulnerabilities that affect several Windows components, Microsoft Office, and Microsoft Exchange Server.
More information about these bulletins and their corresponding Trend Micro solutions are posted at our Threat Encyclopedia Page: June 2015 – Microsoft Releases 8 Security Advisories.
Update for Adobe
Adobe has also released a security update (APSB15-11) for Adobe Flash Player for Windows, Macintosh, and Linux. According to Adobe, the updates “address vulnerabilities that could potentially allow an attacker to take control of the affected system.”
We urge users to patch their endpoints and servers as soon as possible. Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:
- 1006657-Adobe Flash Player Remote Integer Overflow Vulnerability (CVE-2014-0569) – 2
- 1006745-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1687)
- 1006747-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1730)
- 1006748-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1731)
- 1006749-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1732)
- 1006751-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1735)
- 1006752-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1736)
- 1006753-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1737)
- 1006755-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1740)
- 1006756-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1741)
- 1006757-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1742)
- 1006758-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1744)
- 1006759-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1745)
- 1006760-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1747)
- 1006761-Microsoft Internet Explorer Elevation Of Privilege Vulnerability (CVE-2015-1748)
- 1006762-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1750)
- 1006763-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1751)
- 1006764-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1752)
- 1006765-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1753)
- 1006766-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1755)
- 1006767-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-1766)
- 1006769-Microsoft Office Use After Free Vulnerability (CVE-2015-1759)
- 1006770-Microsoft Office Use After Free Vulnerability (CVE-2015-1760)
- 1006771-Microsoft Office Uninitialized Memory Use Vulnerability (CVE-2015-1770)
- 1006772-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3096)
- 1006773-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3098)
- 1006774-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3099)
- 1006775-Adobe Flash Player Remote Code Execution Vulnerability (CVE-2015-3100)
- 1006776-Adobe Flash Player Cross Domain Policy Bypass Vulnerability (CVE-2015-3102)
- 1006777-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3103)
- 1006778-Adobe Flash Player Integer Overflow Vulnerability (CVE-2015-3104)
- 1006779-Adobe Flash Player Out Of Bound Write Vulnerability (CVE-2015-3105)
- 1006780-Adobe Flash Player Use After Free Vulnerability (CVE-2015-3106)
- 1006781-Adobe Flash Player Memory Corruption Vulnerability (CVE-2015-3108)
- 1006782-Microsoft Windows HTML Application Denial Of Service Vulnerability