Security Advisor

July Patch Tuesday: Microsoft Fixes 3 Zero-Day Flaws

Microsoft releases a large security update, which includes four critically rated fixes for IE, Hyper-V and Windows.

While Microsoft has quite a bit on its plate this month with the impeding release of Windows 10, it didn't use that as an excuse to go easy with July's security update. This month's patch includes four items rated "critical" and 10 "important" to fix numerous issues in Microsoft products and services.

IT might want to get an early jump on today's offering, as three of the bulletins deal with flaws in active use by attackers in the wild or have been publicly disclosed. The first, bulletin MS15-065, addresses multiple issues in all supported versions of Internet Explorer, including a remote code execution flaw that was revealed during last week's breach of Italian security firm Hacking Team. While Microsoft said that an attack has not yet been seen for this particular issue, which is caused by how the Jscript handles objects in memory, don't expect that to be the case for very much longer.

Unlike the IE fix, bulletins MS15-070, an important update for Microsoft Office, and MS15-077, an ATM font driver flaw in Windows, both have holes being actively exploited. However, due to the small target scope, Microsoft decided to not categorize it as the more severe "critical" rating. Still, they should be high priorities for all shops to get patched as soon as possible.

After those three items have been dealt with, it's advised that the final three critical items be tackled next. bulletin MS15-066 addresses a single issue in Windows' VBScript scripting engine that could lead to an RCE attack if a malicious Web site is visited. Those affected could have their entire system compromised, allowing an attacker to install malicious programs, access private data and delete files. Only those running Windows Server 2003, 2003 SP2, Windows Server 2008 and Windows Vista are affected. Remember, with today's death of official support for Windows Server 2003, security updates for the older server version will not be freely released.

Those running Windows 7, 8 and Windows Server 2012 should pay close attention to bulletin MS15-067, which looks to resolve an RCE flaw for those who have the Remote Desktop Protocol (RDP) server service active. According to Craig Young, security researcher at Tripwire, this will be a top priority for many shops. "This is very high impact because many businesses rely on remote desktop protocol and many advanced home users configure remote access for RDP into their home," commented Young. "This should definitely be on the top of everyone's install list. Although Microsoft describes that code execution is tricky, there are a lot of smart people out there and I'm sure it won't be long before proof-of-concept code starts floating around."

Finally, the last critical item of the month (bulletin MS15-068) takes care of yet another RCE flaw, this time in Hyper-V. According to Microsoft, a targeted system could be taken over if a malicious application is run on a guest virtual machine hosted by Hyper-V. What makes this flaw a bit difficult to pull off is that an attacker would need to have valid login credentials for the virtual machine. Difficult, but not impossible.

The remaining important updates address issues in Microsoft's SQL Server and various versions of Windows OS. More information can be found here.

Security Advisories
Along with today's larger-than-usual patch, Microsoft also released two security advisories. The first is Security Advisory 3074162, which updates the Microsoft Malicious Software Removal Tool (MSRT) to remove an elevation of privilege flaw found in the application that could cause the tool to become unresponsive. Microsoft decided to release an advisory instead of a bulletin on this item due to the low risk of exploitation and that updating the tool would require no input from users.

Finally, an advisory announcing an update to harden use of Data Encryption Standard (DES) encryption (Security Advisory 3057154) was released. Microsoft started disabling DES by default with Windows 7, and today's update looks to further enhance security for those who choose to enable the use of DES encryption keys in their environment.

That's it for this month. While next month will not include security updates for Windows Server 2003, look for potential Windows 10 security issues to take its place.

About the Author

Chris Paoli is the site producer for and


  • Cloud IT Infrastructure Spending Starting To Take the Lead

    IDC this month published findings on revenues from cloud IT infrastructure spending in the third quarter of 2018, based on server, storage and Ethernet switch sales.

  • How To Run Oculus Rift Apps in Windows Mixed Reality, Part 1

    A lack of apps has been the biggest thorn in the side of Microsoft's mixed reality efforts. One way to get around it is to use apps that were designed for Oculus Rift instead.

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.