Adobe Overshadows Last Microsoft Patch Tuesday

In the last Patch Tuesday before users may upgrade their Windows operating systems to Windows 10 on July 29 and subsequently enlist a changed patching process, we have 14 updates to deal with from Microsoft that address 59 total vulnerabilities. Equally as important however are the three 0-days in Adobe Flash Player and an impending 193 new fixes from Oracle, 25 of which will be for Java. Put your summer vacation on hold; it’s definitely a crazy month. Last week’s hactivist attack on the Italian surveillance firm The Hacking Team, who reportedly sells exploits to anyone willing to pay for them, resulted in 400 GB of stolen data free for the taking. Unearthed in that data dump to-date was three 0-days in Adobe Flash Player. Consequently, first on your priority list this month should be the new update from Adobe, APSB15-18. This covers off on the 2 newest 0-days in Flash, CVE-2015-5122 and CVE-2015-5213. Reportedly, one is under active attack. The third 0-day,CVE-2015-5119, was patched out-of-band late last week with APSB15-16. Together, the three exploits impact Flash versions 9.0 through in Windows, Mac and Linux and brings Flash to its 11th update overall in 2015 alone. If you must use Flash, be sure you have the current version, which you can download here. The safer bet however is to uninstall the long-risky media player once and for all. If you use Firefox, you’ll see they blocked Flash entirely this week, in light of the three new 0-days. Once you’ve updated Adobe, turn your attention to the 14 Microsoft updates, 4 of which are critical this month. If you use IE, MS15-065 should be first priority. Another cumulative update for IE, this patch updates 29 total CVEs in the popular browser. Some are saying one vulnerability, CVE-2015-2425, maycome from the Hacking Team hack as well so overall, the release of that data has generally wreaked havoc on all of our systems this month. We will all have to diligently follow this story, continue to patch newly discovered vulnerabilities, and train the troops. Second, take a look at MS15-070 which patches 8 CVEs in Office and SharePoint Server 2007, 2010 and 2013. One is under active exploit. MS15-077 is also an important one to address quickly because it too is under active exploit. This addresses a vulnerability in Adobe Type Manager. Once you’ve worked through the Adobe updates and these first three from Microsoft, you should also take a look at Java. They are also dealing with a new 0-day thanks to the Hacking Team, their first since 2013. It involves a separate Windows vulnerability, CVE-2012-015, which Microsoft addressed in 2012 in bulletin MS12-027 . Oracle is planning to release updates today to Java JRE to address 25 total security vulnerabilities, 23 of which can be remotely exploitable. Lastly, don’t forget July is the last month Microsoft will patch Windows Server 2003. If you look at the 14 bulletins from Microsoft, you’ll see 9 of them affect Server 2003. It’s time to migrate.
Posted in Patch Tuesday, Unified Endpoint ManagementTagged