Microsoft has just released the patches for August. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms15-aug

There are a total of fourteen bulletins being released. Three of which are designated as CRITICAL for Windows operating systems prior to Windows 10, one is designated as CRITICAL for Edge web browser associated with Windows 10 (MS15-091) and the remaining ten are designated as IMPORTANT. The vulnerabilities being patched in bulletins MS15-079/MS15-083 could allow remote code execution. These are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems.  In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content.

The bulletins are identified as MS15-079/MS15-092

CRITICAL patches for August

The CRITICAL vulnerabilities apply to Internet Explorer, Edge, Windows, .NET Framework, Office, Lync and Silverlight, and could allow remote code execution if successfully exploited.

The IMPORTANT bulletins apply to Office, Windows and Microsoft Server software.

MS15-079 – Internet Explorer – CRITICAL

There are a total of thirteen vulnerabilities being patched in Internet Explorer (not all of which are designated as critical). Ten of the thirteen vulnerabilities would allow remote code execution if successfully exploited.  The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises.  Other mechanisms of compromise could allow the following exploits: Elevation of Privilege,  Information Disclosure, or Security Feature Bypass (such as Cross Site Scripting (XSS) filter bypass or Address Space Randomization Layout bypass).

As of this time, only one has been disclosed publicly and it does not allow remote code execution but would instead could allow Information Disclosure. Additionally, as of this time, no vulnerabilities are being actively exploited.

Note: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.

MS15-080 – Windows – Microsoft Graphics Component – CRITICAL

There are five CRITICAL remote code execution vulnerabilities being patched in Windows Graphics Component. The Windows Graphics Component is used in the following Microsoft products: Windows, .NET framework, Microsoft Office, Microsoft Lync and Silverlight. The vulnerability could allow remote code execution if the user opens a specially crafted document or visits an untrusted web page that contains embedded TrueType or OpenType fonts. As of this time, none of the Graphics Component vulnerabilities have been are currently being exploited.

Note: The vulnerability is rated as critical even for server versions of Windows Operating Systems (including server core only installations).

MS15-081 – Office – CRITICAL

There are eight vulnerabilities being patched both in desktop versions of Microsoft Office and also Office Services (such as SharePoint) and Web apps versions. The majority of the vulnerabilities in Office are not identified as CRITICAL nor are they classified as remote code execution. Some are designated as IMPORTANT and would allow Information Disclosure if successfully exploited.

As of this time, none of the Office vulnerabilities are currently being exploited.

MS15-082 – Windows – Remote Desktop Protocol – IMPORTANT

There are two important vulnerabilities being patched in Windows Remote Desktop Protocol. Depending on operating system, the vulnerabilities would not enable remote code execution and instead would allow a spoofing of connection origin. All current operating systems are potentially vulnerable to the spoofing condition (identified as CVE-2015-2472). However, only the following operating systems are vulnerable to the remote code execution vulnerability (identified in CVE-2015-2473): Windows 7 and Windows Server 2008R2.

As of this time, none of the Remote Desktop Protocol vulnerabilities are currently being exploited.

Note: By default, the RDP server service is not enabled on any Windows operating system. Systems that do not have the RDP server service enabled are not at risk.

MS15-083 –  Windows – Server Message Block – IMPORTANT  

There is one IMPORTANT remote code execution vulnerability being patched for Windows Server Message Block. The vulnerability exists only in Windows Vista and Windows Server 2008 (all versions). The vulnerability is also present for Server Core only installations of Server 2008.

MS15-084 –   Windows – XML core services –  IMPORTANT  

There is one Information Disclosure vulnerability being patched for all current versions of Microsoft Windows and Microsoft Office 2007 sp3 and Infopath 2007. The vulnerability is also present for Server Core only installations of Server 2008, Serve 2008R2 and Server 2012. There have been no reports of exploits being publicly available as of this time.

MS15-085 – Windows – Mount Manager – IMPORTANT 

There is one elevation of privilege vulnerability being patched in Windows Mount Manager for all currently supported versions of Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it. Current information indicates that exploitation of this vulnerability has recently been detected.

MS15-086 – Windows System Operations Center  – IMPORTANT

There is one elevation of privilege vulnerability being patched in the System Operations Center component of Windows System Center 2012 and System Center 2012R2.  The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website..  There have been no reports of exploits being publicly available as of this time.

MS15-087 – Windows Universal Description, Discovery and Integration (UDDI) services  – IMPORTANT

There is one elevation of privilege vulnerability being patched in the UDDI component of Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed. The vulnerability exists in the following versions of Windows: Server 2008 (all versions), Server core only installations of Server 2008 and BizTalk Server 2010, 2013 and 2013R2. There have been no reports of exploits being publicly available as of this time.

MS15-088– Windows – Command Line Parameter Parsing  – IMPORTANT

There is one elevation of information disclosure vulnerability being patched in the command line parameter parsing function of Windows, Internet Explorer and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.

There have been no reports of exploits being publicly available as of this time.

MS15-089 – Windows – WebDAV  – IMPORTANT

There is one information disclosure vulnerability being patched in the WebDAV module of all currently supported versions of Windows except Itanium and Windows 10. The vulnerability The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. There have been no reports of exploits being publicly available as of this time.

MS15-090 – Windows – IMPORTANT

There are three elevation of privilege vulnerabilities being patched in the following modules of Windows: Object Manager, Windows Registry and Windows File System. The vulnerabilities exist in all Windows desktop and server versions including those with server core only installations. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox. There have been no reports of exploits being publicly available as of this time.

MS15-091 – Windows 10 – Edge web browser  – IMPORTANT

There are four cumulative security updates being released for remote code execution vulnerabilities in the Edge web browser for Windows 10. Three of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. The fourth vulnerability being patched could allow information disclosure via address space randomization layout (ASLR) bypass. There have been no reports of exploits being publicly available as of this time.

MS15-092 – Windows – .NET framework version 4.6  – IMPORTANT

There are three vulnerabilities being patched in Windows .NET Framework version 4.6 that could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so. The vulnerabilities exist in all workstation and server versions of Windows including those with server core only installations. There have been no reports of exploits being publicly available as of this time.

Adobe products
On August 11, patches were also released for Adobe Flash.

The updated version of Flash for Windows and Mac systems is 18.0.0.232. Details for the Adobe Flash patches are available at https://helpx.adobe.com/security/products/flash-player/apsb15-19.html

AgriLife ISO Recommendation

According to the Adobe links, the vulnerabilities for Flash are being actively exploited. Considering that issue and the fact that the Internet Explorer vulnerabilities are likely to be exploited in the near future, it is recommended that the August patches for Microsoft and Adobe products be applied as soon as possible to workstation and also server systems following appropriate testing.

Microsoft released their advance notice of the patches that are scheduled to be released for August 2013. The information is available at – http://technet.microsoft.com/en-us/security/bulletin/ms13-aug

There are a total of eight patches, three of which are identified as CRITICAL. The remaining five patches are designated as IMPORTANT.  Critical patches would allow remote code execution if successfully exploited.  Two of the patches designated as IMPORTANT would allow an elevation of privilege if exploited. The remaining three IMPORTANT patches would either allow a denial of service or information disclosure to occur.

Critical patches apply to the following Operating Systems and Applications: all versions of Internet Explorer when installed on Workstation Operating Systems (bulletin #1), Windows XP and Windows Server 2003 (bulletin #2) and Microsoft Exchange 2007SP3, 2010SP2 and SP3 and 2013 Cumulative update 1 and update 2 (bulletin #3).

As is normally the case, with the exception of bulletin #2 for Windows Server 2003, no patches for the month of August are assigned a critical designation when installed on Server operating systems.

No additional information is currently available.  It is currently unknown if the Internet Explorer vulnerabilities have been made public previously.  It is also currently unknown if reliable exploit code is expected within 30 days for the vulnerabilities scheduled to be addressed on August 13.  An update will be provided once the details have been made available.

As of this time, no other vendors have announced releases of patches for any third party products (such as Adobe Reader, Flash or Oracle Java).

Update August 13 1:30 p.m.

Microsoft has provided additional details on the patches that are being released on Tuesday, August 13. The eleven vulnerabilities identified in patch MS13-059 http://technet.microsoft.com/en-us/security/bulletin/ms13-059 (also known as August Bulletin #1) for Internet Explorer have not been disclosed publically prior to August 13. However, as reliable exploit code is expected for these vulnerabilities within the next 30 days, the AgriLife ISO recommendation is that that the patches be applied to all Windows workstations as soon as possible.

 

The patch identified as MS13-060 – http://technet.microsoft.com/en-us/security/bulletin/MS13-060  (also known as August Bulletin #2), only applies to Windows XP and Windows Server 2003 systems. While it is considered a critical vulnerability, reliable exploit code is not expected to be identified within the next 30 days.  Further, the vulnerability only applies to Windows XP or Server 2003 systems that have the Bengali font installed. The AgriLife ISO recommendation is that the patch should be applied to the applicable workstations and servers within the Unit based on applicability.

 

The patch identified as MS13-061 – http://technet.microsoft.com/en-us/security/bulletin/MS13-061 (also known as August Bulletin #3), applies to all currently supported Microsoft Exchange environments.  The patch addresses three vulnerabilities that exist in the Oracle Outside-In features that are included in Exchange 2007, 2010 and 2013. Two of the vulnerabilities are  applicable only to the Webready document viewing features of Outside In on Exchange 2007 and 2010. While it is not expected that reliable exploit code will be made public within the next 30 days, it is recommended that the Webready features of the Outlook Web Agent are disabled until the patch can be applied to Exchange 2007 and 2010 systems.  The AgriLife ISO recommendation is that the Oracle Outside-In Webready features be disabled until Microsoft patch MS13-061 can be applied.

The third patch only applies to the Data Loss Prevention features of Exchange 2013 (CVE-2013-3781).  As the AgriLife ISO is not aware of any AgriLife implementations of Exchange 2013, no risk is believed to exist and for that reason, no mitigation practices or patch deployment strategy is provided for vulnerability CVE-2013-3781.

 

On Thursday, August 4, Microsoft issued their advance notification of the patches scheduled to be released on Tuesday, August 9.   The notification identified two patches classified as CRITICAL, nine patches classified as IMPORTANT and two classified as MODERATE.  One of the CRITICAL patches applies to installations of Internet Explorer on current all workstation and server operating systems. The second CRITICAL patch only applies to the following Server Operating Systems: Windows Server 2003, Windows Server 2008 and Windows Server 2008R2.

 

The critical patches address vulnerabilities that would otherwise allow remote code execution to be performed if not addressed.  Two of the patches classified as IMPORTANT address remote code execution vulnerabilities.   Other vulnerabilities addressed with the IMPORTANT patches correct code that would allow systems to be compromised in the following manner if the systems were left unpatched: Elevation of Privilege, Denial of Service and Information Disclosure.

 

As of this time, it is unknown, if these vulnerabilities have been publically disclosed and for that reason, it is unknown if exploit code is already available or will materialize soon after Microsoft provides further details (on August 9).  Additional information and ISO recommendations will be provided as details are made available.

Update Aug 9

Additional information has been added to the following Microsoft URL – http://blogs.technet.com/b/msrc/archive/2011/08/09/a-live-bluehat-prize-webcast-and-the-august-2011-security-updates.aspx

In summary, the patches associated with Internet Explorer ( http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx ) include five privately reported vulnerabilities and two publicly reported vulnerabilities.  The publicly disclosed vulnerabilities are identified as moderate criticality.

The vulnerabilities patched in MS11-57 are strictly exposures for the workstation environment.  For that reason, it is recommended that the patches be applied to workstations as soon as possible.

With the exception of MS11-065 http://www.microsoft.com/technet/security/Bulletin/MS11-065.mspx , no publicly known exploits have been identified.

Additional information on server vulnerabilities

Microsoft Security Bulletin Summary for Aug 2011

• Internet Explorer 6-9 update – Critical

All current workstation and Server OSs are vulnerable to exploits addressed in patch MS11-057.  The designation of critical is only assigned to Windows workstation, Windows Server 2003 and Windows 2008 and 2008R2 Itanium installations.

• Vulnerabilities in Windows DNS server – Critical

Windows Server 2008 SP2 (32 and 64 bit) and Windows Server 2008R2 (base and SP1) have a critical vulnerability exposure to a specially crafted NAPTR query sent to a target Windows DNS server.  If left unpatched, exploitation could allow remote code execution. The vulnerability is patched in Microsoft update MS11-058.

NOTE: For all versions of Windows Server 2008, the server core installation is affected by this vulnerability.

Additionally, for installations of Windows Server 2003, the vulnerability is assigned a criticality of important as exploitation could only induce a denial of service condition.

Today we’re releasing our advance notification 
for the June (I think they meant July) security bulletin release, which is scheduled for Tuesday,
August 10. This month’s release is composed of 14 bulletins addressing
34 vulnerabilities in Windows, Microsoft Office, Internet Explorer, SQL,
and Silverlight. Eight of the bulletins carry a Critical severity
rating, and six are rated Important.

As always, we recommend that customers review the ANS summary page
for more information and prepare for the testing and deployment of these
bulletins as soon as possible.

For those who keep track of such things, this will be the most
bulletins we have ever released in a month; we have released 13
bulletins on a couple of occasions. However, in total CVE count, this
release ties with June 2010, so there’s no new record there. Please join
Adrian Stone and Jerry Bryant for a public webcast on Wednesday. We’ll
go into detail about all the bulletins and answer questions live on the
air. Register at the link below:

https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032454431

Update:
Summary –
OS Patches
There are six critical updates for Windows OSs, one for Internet Explorer and one for Office.
Of the 6 critical Windows updates, all apply to XP-SP3 (32 and 64 bit versions)
For the Windows Server 2003 SP2 OS (32 and 64 bit), only three of the updates are identified as critical (bulletins 1, 3 and 8)
For the Vista desktop OS (both 32 and 64 bit versions of SP1 and 2), three of the updates are identified as critical (bulletins 2, 6 and 8)
For the Windows Server 2008 SP2 OS, (32 and 64 bit versions), none are identified as critical for the ‘server core installation’
For the Windows 7 desktop OS, three are identified as critical (bulletins 2, 6 and 8)
For the 64 bit and Itanium versions of the Windows Server 2008R2 OS, only 1 is identified as critical (bulletin 8)

Internet Explorer patches
All versions (IE6-8) of Internet Explorer are assigned the critical rating regardless of which OS they are run on.

Office patches
Only the 2007SP2 version of Office is given a critical classification. Updates to all other Office versions are only identified as important.