Don’t take off on that summer vacation just yet – Microsoft released another 16 security bulletins in today’s June Patch Tuesday and 5 of those are rated critical. While there are quite a few updates to be made, both on the client and server side, across a broad range of legacy and current code, the good news is none of them are under active exploit.
To tackle the batch of needed June updates, you will likely want to start with the browsers. If your users rely on IE, you have another cumulative update in MS16-063 which addresses 10 different vulnerabilities. The most critical update resolves vulnerabilities that could allow a remote code execution should one of your users encounter a compromised or truly malicious web page. If you use Edge, update MS16-068 right away. This is also a cumulative update which resolves a possible remote code execution.
You will also want to pay close attention to another critical update, this time for Adobe Flash in APSA16-03. While not due out until June 16 according to the Security Incident Response Team, there are reports of active exploits for CVE-2016-4171. Windows, Mac, Linux and Chrome are all impacted.
Returning to the Microsoft updates, correction of script engine vulnerabilities continues from last month. MS16-069 is a cumulative update for JScript and VBScript. You’ll notice the same scripting vulnerabilities CVE-2016-3205, 3206, and 3207 also appear for the IE cumulative update. Also noteworthy is MS16-071 which resolves a critical vulnerability in Windows DNS Server. Again, a remote code execution is possible with user interaction.
Rounding out the critical bulletins is MS16-070. This is an update for Office that could result in a remote code execution if a malicious file is opened. User interaction is a distinct theme overall this month. It may be a good time to do another round of user education to head off a few of these exploits. Phishing emails with the attachments advertising the latest election polls, NBA finals commentary, or summer sales may deliver more than your users expect!
The host of important bulletins are of course worth addressing too, particularly if you are still using legacy systems. It appears Microsoft has picked up some of the backlog and did some important spring cleaning, just in time for your summer. Good luck.