Microsoft has just released the patches for August. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms15-aug
There are a total of fourteen bulletins being released. Three of which are designated as CRITICAL for Windows operating systems prior to Windows 10, one is designated as CRITICAL for Edge web browser associated with Windows 10 (MS15-091) and the remaining ten are designated as IMPORTANT. The vulnerabilities being patched in bulletins MS15-079/MS15-083 could allow remote code execution. These are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content.
The bulletins are identified as MS15-079/MS15-092
CRITICAL patches for August
The CRITICAL vulnerabilities apply to Internet Explorer, Edge, Windows, .NET Framework, Office, Lync and Silverlight, and could allow remote code execution if successfully exploited.
The IMPORTANT bulletins apply to Office, Windows and Microsoft Server software.
MS15-079 – Internet Explorer – CRITICAL
There are a total of thirteen vulnerabilities being patched in Internet Explorer (not all of which are designated as critical). Ten of the thirteen vulnerabilities would allow remote code execution if successfully exploited. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, Information Disclosure, or Security Feature Bypass (such as Cross Site Scripting (XSS) filter bypass or Address Space Randomization Layout bypass).
As of this time, only one has been disclosed publicly and it does not allow remote code execution but would instead could allow Information Disclosure. Additionally, as of this time, no vulnerabilities are being actively exploited.
Note: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.
MS15-080 – Windows – Microsoft Graphics Component – CRITICAL
There are five CRITICAL remote code execution vulnerabilities being patched in Windows Graphics Component. The Windows Graphics Component is used in the following Microsoft products: Windows, .NET framework, Microsoft Office, Microsoft Lync and Silverlight. The vulnerability could allow remote code execution if the user opens a specially crafted document or visits an untrusted web page that contains embedded TrueType or OpenType fonts. As of this time, none of the Graphics Component vulnerabilities have been are currently being exploited.
Note: The vulnerability is rated as critical even for server versions of Windows Operating Systems (including server core only installations).
MS15-081 – Office – CRITICAL
There are eight vulnerabilities being patched both in desktop versions of Microsoft Office and also Office Services (such as SharePoint) and Web apps versions. The majority of the vulnerabilities in Office are not identified as CRITICAL nor are they classified as remote code execution. Some are designated as IMPORTANT and would allow Information Disclosure if successfully exploited.
As of this time, none of the Office vulnerabilities are currently being exploited.
MS15-082 – Windows – Remote Desktop Protocol – IMPORTANT
There are two important vulnerabilities being patched in Windows Remote Desktop Protocol. Depending on operating system, the vulnerabilities would not enable remote code execution and instead would allow a spoofing of connection origin. All current operating systems are potentially vulnerable to the spoofing condition (identified as CVE-2015-2472). However, only the following operating systems are vulnerable to the remote code execution vulnerability (identified in CVE-2015-2473): Windows 7 and Windows Server 2008R2.
As of this time, none of the Remote Desktop Protocol vulnerabilities are currently being exploited.
Note: By default, the RDP server service is not enabled on any Windows operating system. Systems that do not have the RDP server service enabled are not at risk.
MS15-083 – Windows – Server Message Block – IMPORTANT
There is one IMPORTANT remote code execution vulnerability being patched for Windows Server Message Block. The vulnerability exists only in Windows Vista and Windows Server 2008 (all versions). The vulnerability is also present for Server Core only installations of Server 2008.
MS15-084 – Windows – XML core services – IMPORTANT
There is one Information Disclosure vulnerability being patched for all current versions of Microsoft Windows and Microsoft Office 2007 sp3 and Infopath 2007. The vulnerability is also present for Server Core only installations of Server 2008, Serve 2008R2 and Server 2012. There have been no reports of exploits being publicly available as of this time.
MS15-085 – Windows – Mount Manager – IMPORTANT
There is one elevation of privilege vulnerability being patched in Windows Mount Manager for all currently supported versions of Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it. Current information indicates that exploitation of this vulnerability has recently been detected.
MS15-086 – Windows System Operations Center – IMPORTANT
There is one elevation of privilege vulnerability being patched in the System Operations Center component of Windows System Center 2012 and System Center 2012R2. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.. There have been no reports of exploits being publicly available as of this time.
MS15-087 – Windows Universal Description, Discovery and Integration (UDDI) services – IMPORTANT
There is one elevation of privilege vulnerability being patched in the UDDI component of Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed. The vulnerability exists in the following versions of Windows: Server 2008 (all versions), Server core only installations of Server 2008 and BizTalk Server 2010, 2013 and 2013R2. There have been no reports of exploits being publicly available as of this time.
MS15-088– Windows – Command Line Parameter Parsing – IMPORTANT
There is one elevation of information disclosure vulnerability being patched in the command line parameter parsing function of Windows, Internet Explorer and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.
There have been no reports of exploits being publicly available as of this time.
MS15-089 – Windows – WebDAV – IMPORTANT
There is one information disclosure vulnerability being patched in the WebDAV module of all currently supported versions of Windows except Itanium and Windows 10. The vulnerability The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. There have been no reports of exploits being publicly available as of this time.
MS15-090 – Windows – IMPORTANT
There are three elevation of privilege vulnerabilities being patched in the following modules of Windows: Object Manager, Windows Registry and Windows File System. The vulnerabilities exist in all Windows desktop and server versions including those with server core only installations. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox. There have been no reports of exploits being publicly available as of this time.
MS15-091 – Windows 10 – Edge web browser – IMPORTANT
There are four cumulative security updates being released for remote code execution vulnerabilities in the Edge web browser for Windows 10. Three of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. The fourth vulnerability being patched could allow information disclosure via address space randomization layout (ASLR) bypass. There have been no reports of exploits being publicly available as of this time.
MS15-092 – Windows – .NET framework version 4.6 – IMPORTANT
There are three vulnerabilities being patched in Windows .NET Framework version 4.6 that could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so. The vulnerabilities exist in all workstation and server versions of Windows including those with server core only installations. There have been no reports of exploits being publicly available as of this time.
Adobe products
On August 11, patches were also released for Adobe Flash.
The updated version of Flash for Windows and Mac systems is 18.0.0.232. Details for the Adobe Flash patches are available at https://helpx.adobe.com/security/products/flash-player/apsb15-19.html
AgriLife ISO Recommendation
According to the Adobe links, the vulnerabilities for Flash are being actively exploited. Considering that issue and the fact that the Internet Explorer vulnerabilities are likely to be exploited in the near future, it is recommended that the August patches for Microsoft and Adobe products be applied as soon as possible to workstation and also server systems following appropriate testing.