Webpages, Word files, print servers menacing Windows PCs – yup, it's Patch Tuesday

Plus: 52 security bugs fixed in Adobe Flash


Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player.

Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a Secure Boot bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws.

Get patching now before miscreants develop and distribute code exploiting the programming blunders. As far as we can tell, none of the bugs below are being exploited in the wild right now.

  • MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines. In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC.

    "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft.

  • MS16-085 is also a cumulative browser fix, this time for the new Edge browser. Among the 13 CVE-listed holes in Edge are five remote code execution flaws in the Chakra JavaScript engine. Also patched are three information disclosure flaws, three spoofing vulnerabilities, and two other memory corruption flaws. Again, a malicious webpage could use these security holes to infect PCs with software nasties.
  • MS16-088 patches seven memory corruption vulnerabilities in Office. The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well. Basically, malicious software can be smuggled in Office documents and will infect computers when opened.
  • MS16-094 remedies a security bypass flaw in Windows Secure Boot. An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses Secure Boot mechanisms.

    "A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained.

    "An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features.

    "To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy. The security update addresses the vulnerability by blacklisting affected policies."

  • MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes. In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below).
  • MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft.
  • MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server. An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system.
  • MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system. Essentially, a rogue printer server on a network can inject malware into connected PCs. All supported versions of Windows and Windows Server are vulnerable.

  • "A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system.

  • "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application."

  • MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory.
  • MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application. The bug is found in all supported versions of Windows and Windows Server.
  • MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks. All supported versions of Windows and Windows Server should be updated.

Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update.

Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software.

In total, this month's patch remedies 52 CVE-listed vulnerabilities. If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks.

Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ®


Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022