As Microsoft has released their patches for the month of June, Adam Nowak, Rapid7 Active Lead Engineer at Rapid7, has provided his commentary below.
Adam Nowak, Rapid7 Active Lead Engineer at Rapid7:
“June continues an on-going trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE) with elevation of privilege as a close second (6); the three remaining bulletins address information disclosure(2) and denial of service. All critical bulletins are remote code execution vulnerabilities affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps as well as Windows (client and server). However, this month is missing resolutions for Adobe Flash issues; Adobe has recognised CVE-2016-4171 as being exploited in the wild (APSA16-03) but no solution is presently available.
Looking back at the last year of security bulletins, a resounding trend has emerged, and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users.
This month Microsoft resolves 36 vulnerabilities across 16 bulletins with MS16-063, MS16-068, MS16-069, MS16-070 and MS16-080 as the bulletins to watch out for. Fortunately at this time, no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS-068 is known to be publicly disclosed CVE-2016-3222.
Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritise your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071).”