Skip to main content
it helpdesk support

Security Update for Internet Explorer

Security Update for Internet Explorer

June 29, 2015

This month’s updates includes a cumulative security update for Internet Explorer (MS15-056) which fixes 24 vulnerabilities that are critical flaws that can lead to RCE which an attacker could only trigger through a user visiting a malicious webpage. All versions of IE and Windows are affected to it would be wise to patch this first and quickly.

MS15-057 fixes a security hole that could also allow remote execution if Windows Media Player opens specially crafted media content that is hosted on a malicious site allowing an attacker to take complete control of an affected system remotely. This bulletin is rated critical in Windows 7, Vista, and Windows Server 2008 R2 and earlier versions.

Four of the remaining six updates affect Windows. The most interesting is MS15-061, which includes fixes for 11 Windows kernel vulnerabilities. Of that total, seven were reported as part of Google Project Zero and apparently fixed before Google’s automatic disclosure was triggered. Then there’s a security update for Office which patches a vulnerability in Microsoft Office 2010 and 2013; Office 365 subscribers would have received this and other updates automatically. Lastly there’s a security update for Microsoft Exchange that can result in elevation of privilege.

Summary:

Today Microsoft released 8 bulletins, only two of which are rated as Critical and six rated as Important, that address a total of 45 vulnerabilities. The two critical security updates both resolve remote code execution (RCE) vulnerabilities. The associated KB articles have been published, and we want to give you a quick heads-up about what to expect for this patch cycle.


Bulletin ID: MS15-056

Cumulative Security Update for Internet Explorer (3058515)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows, Internet Explorer


Bulletin ID: MS15-057

Vulnerability in Windows Media Player Could Allow Remote Code Execution (3033890)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Player opens specially crafted media content that is hosted on a malicious website. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. 
Maximum Severity Rating and Vulnerability Impact: Critical
Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows


Bulletin ID: MS15-059

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3064949)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 
Maximum Severity Rating and Vulnerability Impact: Important
Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office


Bulletin ID: MS15-060

Vulnerability in Microsoft Common Controls Could Allow Remote Code Execution (3059317)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link, or a link to specially crafted content, and then invokes F12 Developer Tools in Internet Explorer. 
Maximum Severity Rating and Vulnerability Impact: Important
Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows


Bulletin ID: MS15-061

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows


Bulletin ID: MS15-062

Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege (3062577)
This security update resolves a vulnerability in Microsoft Active Directory Federation Services (AD FS). The vulnerability could allow elevation of privilege if an attacker submits a specially crafted URL to a target site. Due to the vulnerability, in specific situations specially crafted script is not properly sanitized, which subsequently could lead to an attacker-supplied script being run in the security context of a user who views the malicious content. For cross-site scripting attacks, this vulnerability requires that a user be visiting a compromised site for any malicious action to occur. 
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Does not require restart
Affected Software: Microsoft Windows


Bulletin ID: MS15-063

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (3063858)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker places a malicious .dll file in a local directory on the machine or on a network share. An attacker would then have to wait for a user to run a program that can load a malicious .dll file, resulting in elevation of privilege. However, in all cases an attacker would have no way to force a user to visit such a network share or website. 
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Windows


Bulletin ID: MS15-064

Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157)
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message. 
Maximum Severity Rating and Vulnerability Impact: Important
Elevation of Privilege
Restart Requirement: Does not require restart
Affected Software: Microsoft Exchange Server

We'll take care of every detail.

Even if you don't know exactly what you need, our experts make it easy to talk about your project and work out the requirements. We'll quickly help frame it up and add some structure so it can be properly estimated and ultimately developed and delivered.