As part of the June Patchday 2019, Microsoft has released five critical security bulletins online. Updates for Windows DNS Server and Office are likely to be particularly important for companies, was also submitted a cumulative update for the Internet Explorer.
With the security bulletin MS16-063 Microsoft subsequently rolled out an update package for Internet Explorer (IE) that was skipped in May. Critical holes fix the update in the case of IE 9 and IE 11 on client machines, on Windows servers Microsoft sees a moderate risk.
In case of hardship, on affected machines it can happen that an external attacker executes code remotely (Remote Code Execution, RCE) if the victim calls a specially adapted website with the browser. Among other things, the patch adjusts when processing objects in memory and proxy detection.
The Edge browser introduced with Windows 10 also does not spare RCE vulnerabilities. Improved in this case with the critical patch MS16-068 . Again, specially adapted websites may encourage attacks, but the new web viewer also has shortcomings with documents such as PDFs.
Manipulated documents can currently be fatal to Microsoft Office. The risk varies depending on the system configuration. However, the security update MS16-070 is rolled out for nearly all Office solutions, from Office 2007 to Office 2010, 2013 and 2013 RT to Office 2019.
In turn, the Mac versions 2011 and 2019 must be updated urgently. After all, the update is important for Office Compatibility Packs, Word and Visio Viewer, Office Online Server and the 2010 and 2013 versions of SharePoint Server and Office Web Apps .
The fifth critical security bulletin MS16-071 concerns companies using Windows Server 2012 and 2012 R2 as DNS servers. The Windows Server Technical Preview 5 is also affected. In this case, remote code execution is possible if an attacker sends special requests to the DNS server. The update is intended to modify the processing of DNS requests and requires a system reboot.
DoS and potential rights increase
The June patchday will be truly extended with eleven more “Important” classified updates. Two of them will be brought in to address denial-of-service vulnerabilities in Active Directory ( MS16-081 ) and Windows Search ( MS16-082 ). Less critical RCE vulnerabilities were found in Netlogon ( MS16-076 ) and Windows PDF ( MS16-080 ). The update MS16-079 meanwhile should prevent Microsoft Exchange server unintentionally disclose information.
Six security bulletins are supposed to prevent unwanted Elevation of Privilege. This applies to Group Policy ( MS16-072 ), Kernel-Mode Driver ( MS16-073 ), Microsoft Graphics Components ( MS16-074 ), SMB Server ( MS16-075 ), Web Proxy Auto Discovery (WPAD, MS16-077 ), and the Diagnostic Hub ( MS16-078 ).