Patch Tuesday June 2017

BeyondTrust Research Team, June 15th, 2017

Patch Tuesday

Microsoft Patch Tuesday June 2017 addresses 96 unique vulnerabilities within Microsoft Windows, Office, Skype, Internet Explorer, and the Edge browser. Of these vulnerabilities, 18 are rated Critical, 76 Important, one Moderate, and one Low severity. In addition, unsupported OSes received patches due to heightened risk of exploitation, making this Patch Tuesday particularly interesting.

Silverlight

Silverlight makes a return this Patch Tuesday, with a vulnerability that allows for remote code execution if a user visits a compromised website. The vulnerability revolves around how the uniscribe component handles objects in memory, and an attacker who successfully exploits the vulnerability could potentially install programs; view, change or delete user data; or create user accounts with full privileges. This vulnerability is rated Critical by Microsoft.

Windows Search

Windows Search is an unusual face on Patch Tuesday, as it appears with a vulnerability that could allow for information disclosure or remote code execution. The vulnerability deals with the corruption of memory objects when Windows Search is supplied with malicious input. An attacker who successfully exploits could potentially install programs; view, change or delete user data; or create user accounts with full privileges equal to that of the victim user. This vulnerability is rated Critical by Microsoft.

Windows Kernel

The Windows Kernel was patched for multiple Information Disclosure vulnerabilities. While these vulnerabilities themselves do not compromise the victim system, they do provide information that could aid an attacker’s ongoing compromise of a system. As usual, the vulnerability involves improper initialization of objects in kernel memory. Microsoft rated this vulnerability as Important.

Office

It wouldn’t be a Patch Tuesday without discussing Office, however this Patch Tuesday introduces a particularly large number of fixes for Office. These vulnerabilities could allow for an attacker to execute code remotely on the victim’s system with privileges equal to that of the victim user. This serves as a persistent reminder to be cautious about opening documents from untrusted sources. Microsoft rates these vulnerabilities as Important.

Skype

Skype makes an appearance this Patch Tuesday with a vulnerability that allows for remote code execution if a user is lured into viewing malicious content. Like Silverlight, the vulnerability revolves around how the uniscribe component handles objects in memory, and an attacker who successfully exploits the vulnerability could potentially install programs; view, change or delete user data; or create user accounts with full privileges. This vulnerability is rated Critical by Microsoft.

Internet Explorer and Edge

Microsoft’s web browsers make their usual appearance, hosting multiple memory corruption vulnerabilities. An attacker who exploits these vulnerabilities by luring the user to view malicious content would be able to remotely execute commands on the victim’s system, view memory contents, and create user accounts with privileges equal to that of the victim user. Microsoft rates the most severe of these vulnerabilities as Critical.

Graphics

Windows Graphics was patched for a remote code execution vulnerability. The vulnerability stems from the Windows font library improperly processing embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system with privileges equal to that of the victim user. Microsoft has rated this vulnerability as Critical.

Legacy OS Patches

In an unusual twist, Microsoft released patches for legacy OSes – such as Windows XP, Vista, Server 2003, and Windows 8  – to address the most severe vulnerabilities suspected to be leveraged by state-sponsored attackers. Microsoft makes it clear that this will not be a change in policy about any OS they consider unsupported. They are releasing this patch to shore up the Internet’s overall security for users who cannot or refuse to update to supported operating systems. While these patches do resolve some vulnerabilities, there are still numerous vulnerabilities on these legacy systems that remain unpatched. Users should still upgrade to a supported operating system, if possible.