Microsoft has just released the patches for June. The details are available at https://technet.microsoft.com/library/security/ms15-jun
There are a total of eight bulletins, two of which are designated as CRITICAL and the remaining six are designated as IMPORTANT. The vulnerabilities being patched in bulletins MS15-056 through MS15-060 are remote code execution. These are commonly used via drive by (web page) exploits to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content.
The bulletins are identified as MS15-056/MS15-064
Note: Bulletin MS15-058 had no details provided by Microsoft.
CRITICAL patches for June
The CRITICAL vulnerabilities apply to Internet Explorer and Windows, and could allow remote code execution if successfully exploited.
However, other sources have identified patch MS15-059 (for Microsoft Office) as critical for workstation operating systems.
The IMPORTANT bulletins apply to Office, Windows, and Microsoft Exchange systems.
MS15-056 – Internet Explorer
There are a total of twenty-one remote code execution vulnerabilities (and three vulnerabilities classified as Elevation of Privilege or Information Disclosure ) being patched in Internet Explorer. As of this time, only one has been disclosed publicly and actively being exploited. The vulnerability being exploited is not a remote code execution. It is one of Information Disclosure.
Note: The vulnerabilities are classified as MODERATE for Server operating systems.
MS15-057 – Windows
There is one remote code execution vulnerability being patched in Windows Media Player.
MS15-058 – Windows
Unknown. There are currently no details provided by Microsoft on bulletin MS15-058.
MS15-059 – Office (classified as IMPORTANT by Microsoft but CRITICAL by SANS – https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+Summary+for+June+2015/19781/ )
There are three remote code execution vulnerabilities being patched in all currently supported versions of Microsoft Office (Macintosh and Windows). There have been no reports of exploits being publicly available as of this time.
MS15-060 – Microsoft Common Controls – AKA IE developer tools (classified as IMPORTANT by Microsoft)
There is one remote code execution vulnerability being patched for Microsoft Common Controls. The vulnerability has been publically disclosed but there are no reports of exploit code currently being available.
MS15-061 – Kernel Mode Drivers – (classified as IMPORTANT by Microsoft)
There are four elevation of Privilege vulnerabilities being patches for Windows Kernel Mode drivers. There have been no reports of exploits being publicly available as of this time.
MS15-062 – XSS (cross site scripting vulnerability) in Active Directory Federation services – (classified as IMPORTANT by Microsoft)
There is one elevation of privilege cross site scripting vulnerability being patched for in Windows Active Directory Federation Services. There have been no reports of exploits being publicly available as of this time. The vulnerability only applies to Windows Server 2008, 2008R2 and 2012.
MS15-063 – Windows Kernel – (classified as IMPORTANT by Microsoft)
There is one elevation of privilege vulnerability being patched for in Windows Kernel. There have been no reports of exploits being publicly available as of this time.
MS15-064 – Microsoft Exchange – (classified as IMPORTANT by Microsoft)
There are three of privilege vulnerabilities being patched for in Windows Exchange Web applications. There have been no reports of exploits being publicly available as of this time. The vulnerabilities only apply to Microsoft Exchange 2013 update 1 and Exchange 2013 Cumulative update 8.
Patches are also being released for Adobe Flash. The updated versions of Flash are 184.108.40.206 and 220.127.116.11 (Flash on Macintosh).
Details for the Adobe patches are available at
AgriLife ISO Recommendation
According to the Adobe links, the vulnerabilities for Flash are being actively exploited. Considering that issue and the fact that the Internet Explorer vulnerabilities are likely to be exploited in the near future, it is recommended that the June patches for Microsoft and Adobe products be applied as soon as possible to workstation systems and when feasible for server systems following appropriate testing.
Update June 11 – This would probably be an appropriate opportunity to remind customers that in many cases, Adobe Flash is no longer required as a plugin for web browsers. Many websites now default to HTML5 as opposed to Flash for playback of video content. If Adobe Flash is not required, the best recommendation is to remove it where possible.