July Patch Tuesday: Microsoft Fixes 3 Zero-Day Flaws
Microsoft releases a large security update, which includes four critically rated fixes for IE, Hyper-V and Windows.
While Microsoft has quite a bit on its plate this month with the impeding release of Windows 10, it didn't use that as an excuse to go easy with July's security update. This month's patch includes four items rated "critical" and 10 "important" to fix numerous issues in Microsoft products and services.
IT might want to get an early jump on today's offering, as three of the bulletins deal with flaws in active use by attackers in the wild or have been publicly disclosed. The first, bulletin MS15-065, addresses multiple issues in all supported versions of Internet Explorer, including a remote code execution flaw that was revealed during last week's breach of Italian security firm Hacking Team. While Microsoft said that an attack has not yet been seen for this particular issue, which is caused by how the Jscript handles objects in memory, don't expect that to be the case for very much longer.
Unlike the IE fix, bulletins MS15-070, an important update for Microsoft Office, and MS15-077, an ATM font driver flaw in Windows, both have holes being actively exploited. However, due to the small target scope, Microsoft decided to not categorize it as the more severe "critical" rating. Still, they should be high priorities for all shops to get patched as soon as possible.
After those three items have been dealt with, it's advised that the final three critical items be tackled next. bulletin MS15-066 addresses a single issue in Windows' VBScript scripting engine that could lead to an RCE attack if a malicious Web site is visited. Those affected could have their entire system compromised, allowing an attacker to install malicious programs, access private data and delete files. Only those running Windows Server 2003, 2003 SP2, Windows Server 2008 and Windows Vista are affected. Remember, with today's death of official support for Windows Server 2003, security updates for the older server version will not be freely released.
Those running Windows 7, 8 and Windows Server 2012 should pay close attention to bulletin MS15-067, which looks to resolve an RCE flaw for those who have the Remote Desktop Protocol (RDP) server service active. According to Craig Young, security researcher at Tripwire, this will be a top priority for many shops. "This is very high impact because many businesses rely on remote desktop protocol and many advanced home users configure remote access for RDP into their home," commented Young. "This should definitely be on the top of everyone's install list. Although Microsoft describes that code execution is tricky, there are a lot of smart people out there and I'm sure it won't be long before proof-of-concept code starts floating around."
Finally, the last critical item of the month (bulletin MS15-068) takes care of yet another RCE flaw, this time in Hyper-V. According to Microsoft, a targeted system could be taken over if a malicious application is run on a guest virtual machine hosted by Hyper-V. What makes this flaw a bit difficult to pull off is that an attacker would need to have valid login credentials for the virtual machine. Difficult, but not impossible.
The remaining important updates address issues in Microsoft's SQL Server and various versions of Windows OS. More information can be found here.
Along with today's larger-than-usual patch, Microsoft also released two security advisories. The first is Security Advisory 3074162, which updates the Microsoft Malicious Software Removal Tool (MSRT) to remove an elevation of privilege flaw found in the application that could cause the tool to become unresponsive. Microsoft decided to release an advisory instead of a bulletin on this item due to the low risk of exploitation and that updating the tool would require no input from users.
Finally, an advisory announcing an update to harden use of Data Encryption Standard (DES) encryption (Security Advisory 3057154) was released. Microsoft started disabling DES by default with Windows 7, and today's update looks to further enhance security for those who choose to enable the use of DES encryption keys in their environment.
That's it for this month. While next month will not include security updates for Windows Server 2003, look for potential Windows 10 security issues to take its place.