Microsoft released 16 bulletins for June Patch Tuesday, including a mix of client and server side vulnerabilities.
Windows Server administrators should focus on MS16-071, which fixes a vulnerability in Microsoft DNS Server that could allow remote code execution if attackers send specially crafted requests to a DNS server, security analysts said.
The update is rated critical for all supported versions of Windows Server 2012 and Windows Server 2012 R2. The vulnerability could be very dangerous if the DNS server and Active Directory are run on the same machine, said Wolfgang Kandek, CTO of Qualys Inc., in Redwood City, Calif. Kandek recommends keeping key services on different machines when possible to prevent a vulnerability from spreading before it can be patched.
"The most dangerous factor here would be if your DNS server listens [for client requests] on the Internet," Kandek said. "The second problem would be DNS servers on an internal network. The possibility of attack is less likely if you're talking about your own customers. On the other hand, if it was more of an open network -- let's say a hotel or coffee shop -- then you're back to a very attackable scenario."
MS16-075 fixes an elevation of privilege vulnerability in Windows SMB Server, which is used for managing file shares. An attacker would need prior access to the machine and run a specially crafted application that could execute arbitrary code. It is rated as important and affects all supported versions of Windows.
MS16-079 resolves four vulnerabilities in Exchange Server, the most severe of which could allow information disclosure if attackers send a specially crafted URL in an Outlook Web Access message that is loaded from the URL controlled by the hacker. The bulletin is rated important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016.
Bulletin MS16-081 resolves a denial of service vulnerability in Active Directory. The vulnerability is rated important for all supported editions of Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. On an unpatched system, an authenticated attacker can create multiple machine accounts, which could cause Active Directory to stop responding.
This month's patches bring the total for the first half of 2016 up to 82. Microsoft could potentially reach 160 bulletins for the year, which would be a record for the past decade of patches. While Microsoft does not pay for vulnerabilities, there is a significant marketplace for exploits, Kandek said, and more people are getting into the vulnerability research business.
"I think we can expect more scrutiny on more products," Kandek said. "Researchers will actually use the opportunity to branch out to products that are not as well-known and look for vulnerabilities in there."
For more information about the June Patch Tuesday security bulletins, visit Microsoft's Security TechCenter site.