Microsoft has released its Patch Tuesday security update for June that contains 16 bulletins to tackle over 40 vulnerabilities with its software.
Internet Explorer, Edge, Windows, Exchange Server, and Office all receive Microsoft’s attention, but experts are warning system administrators to pay special attention to another zero-day flaw concerning Adobe Flash, which has yet to be patched.
The most interesting flaw for Qualys CTO Wolfgang Kandek concerns Windows DNS Server (MS16-071), which could allow for Remote Code Execution (RCE). He flagged this flaw as important to patch, as DNS is a core part of the IT infrastructure within many businesses.
“Successful exploitation yields the attacker Remote Code Execution (RCE) on the server, which is extremely worrisome on such a mission critical service such as DNS,” blogged Kandek. “Organisations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability.”
Microsoft’s Edge and Internet Explorer web browsers have also been patched. MS16-063 is for Internet Explorer, whilst MS16-068 is for Edge. MS16-069 meanwhile concerns Javascript on Windows Vista, which fixes a number of critical RCE vulnerabilities exploitable through simple web browsing.
“Don’t take off on that summer vacation just yet – Microsoft released another 16 security bulletins in today’s June Patch Tuesday and 5 of those are rated critical,” said Todd Schell at Heat Software.
“While there are quite a few updates to be made, both on the client and server side, across a broad range of legacy and current code, the good news is none of them are under active exploit,” said Schell. “To tackle the batch of needed June updates, you will likely want to start with the browsers.”
But a critical flaw with Adobe Flash is once again causing concern for security experts, especially as it is being actively exploited and a fix is not due out until Thursday.
“You will also want to pay close attention to another critical update, this time for Adobe Flash in APSA16-03,” said Heat’s Schell. “While not due out until June 16 according to the Security Incident Response Team, there are reports of active exploits for CVE-2016-4171. Windows, Mac, Linux and Chrome are all impacted.”
“…your primary attention should be on Adobe Flash,” warned Qualys’ Kandek. “Adobe has acknowledged that a vulnerability (CVE-2016-4171) in the current Flash player is being used in the wild and delayed the expected monthly Adobe Flash patch.”
“In their advisory APSA16-03 they promise the patch for the end of this week,” he said. “Pay close attention to the release and address as quickly as possible. If you have EMET on your systems you are protected. By the way, this is the third month in a row that we are seeing a 0-day in Flash, making it most certainly the most targeted software on your organisation’s endpoints.”
Are you a security pro? Try our quiz!
Discover how emerging technologies like AI, blockchain, and edge computing are set to revolutionise industries…
US Federal Aviation Administration approves SpaceX's Falcon 9 rockets to return to service following second-stage…
Social media platform X drops Unilever from lawsuit against advertisers after reaching agreement on 'safety…
US Congressional Representatives ask for answers from AT&T, Verizon, Lumen Technologies after wiretap networks reportedly…
Swedish EV battery start-up Northvolt in talks for 200m euros in short-term funding as it…
US labour officials say Apple illegally restricted employees' right to discuss workplace issues on Slack…