It's [month] of 2016, and your Windows PC can still be owned by [document type] (Patch Tuesday)

The Register ^ | Jun 14, 2016 | Shaun Nichols

[dayglored]

The Microsoft Security Bulletin

Critical fixes for Office, Internet Explorer, and Windows DNS Server highlight this month's edition of Patch Update Tuesday.

The Redmond Windows slinger has kicked out 16 bulletins this month, five rated as "critical" and the remaining 11 considered "important" risks.

[Detailed listing clipped, see comment]

Not to be outdone, Adobe is also dumping a load of patches for the second Tuesday of the month.

The Adobe patches include an actively targeted vulnerability in Flash and multiple updates for ColdFusion, Brackets, Creative Cloud desktop application and DNG SDK.

[dayglored]

You know the drill...

• MS16-063 addresses 10 CVE-listed vulnerabilities in Internet Explorer 11 running on Windows 7 through Windows 10. The fix includes remote code execution flaws exploited through malicious web pages.
• MS16-068 is a fix for eight CVE-listed flaws in Edge. Like the IE flaws, the Edge vulnerabilities would allow remote code execution simply by viewing a web page on the Edge browser.
• MS16-069 addresses three flaws in the VBscript and JScript engines in Windows Vista and Server 2008/R2. The flaws would allow remote code execution by way of a specially crafted website.
• MS16-070 patches critical flaws in Microsoft Office that could be exploited by opening a malicious Office file. The update fixes three remote code execution flaws and one information disclosure vulnerability.
• MS16-071 patches a single CVE-listed remote code execution vulnerability in Windows Server 2012 and Server 2012 R2. The flaw would allow remote code execution by sending malicious DNS requests.
• MS16-072 addresses a vulnerability in Group Policy for Windows Vista through Windows 10. The flaw, CVE-2016-3223, would allow for a man-in-the-middle data collection.
• MS16-073 is a fix for three CVE flaws that allow elevation of privilege or remote code execution in Windows Vista through Windows 10 boxes and and Windows Server 2008-2012 when an attacker is able to launch a specially-crafted application.
• MS16-074 patches three flaws in Windows that allow information disclosure or remote code execution by loading a malicious website or document.
• MS16-075 is a vulnerability in Windows SMB server that allows for elevation of privilege if a user logs into a compromised server and loads a malicious application.
• MS16-076 patches a remote code execution in NetLogon for Windows Server 2008 and 2012. An attacker could target the flaw by running a specially crafted application on the targeted network.
• MS16-077 patches two vulnerabilities in the Windows Web Proxy Auto-Discovery that could allow elevation of privilege when a system attempts to target a new proxy.
• MS16-078 updates a previously patched vulnerability in the SAM and LSAD components for Windows Vista through Windows 10 and Windows Server 2008-2012.
• MS16-079 addresses four elevation of privilege and information disclosure vulnerabilities in Outlook Web Access for Windows. An attacker could use the flaw to load a message without filtering or warning.
• MS16-080 addresses two information disclosure and one remote code execution flaw in Windows when viewing a malicious PDF file. The vulnerability is present in both Windows 8.1 and Windows 10 systems.
• MS16-081 is a flaw in Active Directory for Windows Server 2008 and 2012 that could allow an attacker to perform a denial-of-service attack on a targeted server.
• MS16-082 is a denial-of-service vulnerability in Windows 7 through Windows 10 and Windows Server 2008 and 2012. The flaw could be targeted by an attacker logging into a system and running a malicious application.

[dayglored]

Patch Tuesday (yesterday) ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

[PAR35]

In Win7, I know how to pick and choose which updates to run and which to not install, but how do you do that in Win10. I’ve been blocking all updates on my Win10 machine so I can keep it functional after I had to roll back to a restore point, but that seems to block Defender updates, as well.

At least I tested 10 before I let it install on my main box.

[rockrr]

You no longer have control over patching with Win-10.

Even with the Enterprise version of the OS, you have some (small) measure of when you apply patches, but not if. Should you fall too far behind Microsoft delivers incessant spam warning of dire consequences unless you "get yourself right" with them.

The people I work for suspended their Win-10 migration project for a year because of this. My question to them was, "You think it's going to be any better next year?"

[hsmomx3]

I use Firefox 99% of the time and when it tells me my flash needs to be updated, I update but when I get back into my FF browser it still says needs to be updated even though Adobe tells me it has been.

Also, anybody else getting pop-ups from Windows Defender asking if they can send FF roaming info to MSFT to help them make Defender better?

[deoetdoctrinae]

[Dalberg-Acton]

No patches from Microsoft are allowed on my PC. They have proven they are not to be trusted.
Thanks anyway.

[minnesota_bound]

Bing! err... ping for later.

[dayglored]

One of the bad bugs patched yesterday affected every version of Windows from Win95 onward -- 20 years worth.

Of course, the unsupported operating systems Win95, Win98, WinME, Win2000, and WinXP WILL NOT GET FIXED, since they don't get security updates any more.

FreeRepublic thread on this bug:

'BadTunnel' Bugs Left Every Microsoft Windows PC Vulnerable For 20 Years - http://www.freerepublic.com/focus/chat/3440619/posts

Thanks to Utilizer for posting that thread!

[Utilizer]

Bless you, mate. I try so hard to make certain the customers I support are kept aware of security issues, and of course then I want to make the FReepers aware also so your untiring efforts in spreading the information out are much appreciated.

Cheers! :)