icetray - Fotolia

Patch Tuesday fixes focus on Office, IE, Exchange Server

June proves less buggy for Microsoft as Redmond issues only two critical patches targeting Internet Explorer and Windows Media Player.

Microsoft kicked off the summer patching season by taking it easy on systems administrators, delivering only two critical fixes for June involving Internet Explorer and Windows Media Player.

Perhaps the more important of the two critical patches for corporate users is the security update for IE which addresses 24 vulnerabilities in all, the most severe of which could allow remote code execution if end users view a "specially crafted" Web page. The critical update applies to all supported versions of IE on affected Windows clients and is rated moderate on affected servers.

It essentially fixes the vulnerabilities by preventing browsers histories from being accessed by a malicious site and provides additional permission validations to IE and modifies how the browser handles objects in memory.

Amol Sarwate, director of vulnerability labs for Qualys Inc., based in Redwood City, Calif., said the IE update was a top priority for his company. Noting Microsoft's growing concern over security threats to IE, he said the company recently started releasing updates for the browser every month as opposed to every other month.

The second critical update also addresses a remote code execution vulnerability in Windows Media Player that could allow an attack to take complete control of an affected system remotely. While fixes to the Media Player aren't as much of a concern for corporate shops today -- most people play music and other media from more trusted  streaming services  such as Spotify or YouTube these days -- Sarwate said it still deserves end users' attention.

"This is still a critical remote code execution vulnerability, so if a user happens to click on an infected file, it can take complete control of system and the consequences can be significant," Sarwate said.

Another high priority patch, although it was not released by Microsoft, was for the Adobe Flash Player. The update addresses 13 vulnerabilities that could potentially give an attacker access to the system. The majority of the flaws that were patched involved memory corruption issues, including a memory address randomization issue of the flash heap for Windows 7 64-bit. 

Adobe recommended that users of Flash Player Desktop runtime for Windows and Mac update to Adobe Flash Player 180.0.160 and users of Flash Player Extended Support Release update to Flash Player

"The patch for Adobe Flash Player falls in the top three fixes this month because it has become very popular over the past year to exploit them," Sarwate said.

Another patch, not critical, but deemed important, addresses a vulnerability in Microsoft Office that again permits remote code execution if end users open a "specially crafted file."  These  can be a Word document  that an attacker has altered using a binary editor. When an end user clicks on the infected file, it triggers a remote control execution on the end user's machine.

"We rated this high because of the widespread use of Office in Fortune 500 companies as well as home users," Sarwate said. "This vulnerability is pretty old school in the way it gets executed."

The update applies to all supported editions of Microsoft Office Compatibility Pack Service Pack 3, Microsoft Office 2010, and Microsoft Office 2013 and 2013 RT. 

Active Directory vulnerability addressed

Another important update addresses an elevation of privilege vulnerability in Active Directory Federation Services (ADFS) if an attacker submits a specially crafted URL to the target site. If a specially crafted script is not properly sanitized, this vulnerability, in some cases, could lead to an attacker's script being run in the security context of an end user who accesses the malicious content.    

"AD is one of the crown jewels inside many organizations because it has information about all your users and depending on the type of vulnerability it could be pretty bad," Sarwate said. "But AD servers are not typically exposed to the Internet so someone would need to break inside to access those servers, and they would also need some credentials to elevate their privileges to run those vulnerabilities. So it is a two-step approach."

One last important update addresses an elevation of privilege vulnerability in Exchange Server by modifying how Exchange Web applications manage same-origin policy and user session authentication, as well as correcting how Exchange web applications sanitize HTML strings. Exchange admins will especially want to fix these issues, Sarwate said, since Exchange is another crown jewel for many organizations.

The proliferation of tools hackers use to quickly detect what has been fixed and not fixed almost immediately after a patch has been released is concerning, Sarwate said. These binary tools can look at two DLLs, the one before the fix and then the one after the fix, and then reverse engineer it to see exactly where the vulnerability was.

"This is why it is important in the Microsoft world to patch everything quickly," Sarwate said. "Once the patches are released the race starts between the hacker reverse engineering and the systems administrators applying the patches."

Tayla Holman is the assistant site editor for and can be reached at [email protected]. Ed Scannell is a senior executive editor at TechTarget. He can be reached at [email protected].  

Dig Deeper on Windows Server troubleshooting