My next class:

July 2015 Microsoft Patch Tuesday

Published: 2015-07-14. Last Updated: 2015-07-15 03:38:20 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Overview of the July 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-058 Remote Code Execution Vulnerabilities in SQL Server
(This bulletin was supposed to be part of the June 2015 patch Tuesday, but got delayed until today)
SQL Server
CVE-2015-1761
CVE-2015-1762
CVE-2015-1763
KB 3065718 no. Severity:Important
Exploitability: 2
N/A Important
MS15-065 Internet Explorer Rollup Patch (Replaces MS15-056 )
Internet Explorer
CVE-2015-1729
CVE-2015-1733
CVE-2015-1738
CVE-2015-1767
CVE-2015-2372
CVE-2015-2383
CVE-2015-2384
CVE-2015-2385
CVE-2015-2388
CVE-2015-2389
CVE-2015-2390
CVE-2015-2391
CVE-2015-2397
CVE-2015-2398
CVE-2015-2401
CVE-2015-2403
CVE-2015-2404
CVE-2015-2405
CVE-2015-2406
CVE-2015-2408
CVE-2015-2410
CVE-2015-2411
CVE-2015-2412
CVE-2015-2413
CVE-2015-2414
CVE-2015-2419
CVE-2015-2421
CVE-2015-2422
CVE-2015-2425
KB 3076321 CVE-2015-2398 has been publicly disclosed.. Severity:Critical
Exploitability: 0
Critical Important
MS15-066 Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS15-019 )
VBScript
CVE-2015-2372
KB 3072604 no. Severity:Critical
Exploitability: 1
Critical Important
MS15-067 Remote Code Execution Vulnerability in RDP (Replaces MS15-030 )
RDP
CVE-2015-2373
KB 3073094 no. Severity:Critical
Exploitability: 3
Critical Critical
MS15-068 Remote Code Execution Vulnerabilities in Hyper-V
Hyper-V
CVE-2015-2361
CVE-2015-2362
KB 3072000 no. Severity:Critical
Exploitability: 2
N/A Critical
MS15-069 Remote Code Execution Vulnerabilities in Windows
Windows and Windows Media Device Manager
CVE-2015-2368
CVE-2015-2369
KB 3072631 unauthorized DLL loading is an ongoing issue. Severity:Important
Exploitability: 1
Critical Important
MS15-070 Remote Code Execution Vulnerabilities in Office (Replaces MS13-084 MS15-022 MS15-033 MS15-046 )
Microsoft Office (including Mac and Sharepoint)
CVE-2015-2376
CVE-2015-2377
CVE-2015-2379
CVE-2015-2380
CVE-2015-2415
CVE-2015-2424
CVE-2015-2375
CVE-2015-2378
KB 3072620 CVE-2015-2424 has been used in exploits.. Severity:Important
Exploitability: 1
Critical Important
MS15-071 Spoofing Vulnerability in Netlogon (Replaces MS15-027 )
Netlogon
CVE-2015-2374
KB 3068457 no. Severity:Important
Exploitability: 3
Important Important
MS15-072 Elevation of Privilege Vulnerability in Windows Graphics Component (Replaces MS15-035 )
Windows Graphics component
CVE-2015-2364
KB 3069392 no. Severity:Important
Exploitability: 1
Important Important
MS15-073 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-061 )
Kernel Mode Drivers
CVE-2015-2363
CVE-2015-2365
CVE-2015-2366
CVE-2015-2367
CVE-2015-2381
CVE-2015-2382
KB 3070102 no. Severity:Important
Exploitability: 2
Important Important
MS15-074 Elevation of Privilege Vulnerability in Windows Installer Service (Replaces MS49-049 )
Windows Installer Service
CVE-2015-2371
KB 3072630 no. Severity:Important
Exploitability: 1
Important Important
MS15-075 Elevation of Privilege Vulnerability in OLE (Replaces MS13-070 )
OLE
CVE-2015-2416
CVE-2015-2417
KB 3072633 no. Severity:Important
Exploitability: 1
Critical Important
MS15-076 Elevation of Privilege in Windows RPC (Replaces MS15-055 )
Windows RPC
CVE-2015-2370
KB 3067505 no. Severity:Important
Exploitability: 2
Important Important
MS15-077 Elevationof Privilege Vulnerability in ATM Font Driver (Replaces MS15-021 )
ATM Font Driver (ATMFD.DLL)
CVE-2015-2387
KB 3077657 Exploits Detected. Severity:Important
Exploitability: 0
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Important patches for servers that do not use outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threats.

       

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

7 comment(s)
My next class:

Comments

Two things people need to remember: First, this is the last month for Windows 2003 patches. Second, beginning in January 2016, Microsoft will only patch the most recent version of IE so the time to upgrade is now.
MS link is incorrect, should be: https://technet.microsoft.com/library/security/ms15-jul
No mention in the MS15-067 notices as to whether NLA-only RDP access (network layer authentication) mitigates the RDP vulnerability. Generally this has been the case. Does anyone know for certain?
According to the bulletin, MS15-071 (Netlogon) only affects servers so your table should show N/A for clients ( https://technet.microsoft.com/en-us/library/security/ms15-071.aspx ).
Microsoft has information in KB 2264107 about mitigating DLL search-path exploitation, titled "A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm." Since this month's batch included such an issue, I was surprised they didn't mention it as a workaround.

In my case, setting the system-wide CWDillegalinDLLsearch to its strictest setting, FFFFFFFF, did break one app, an old image editor, which I had to make an exemption for in the Registry. So test carefully if you decide to use this.
Updates trashed the virtual switch on one of my Hyper-V 2012R2 servers, resulting in a visit to the datacenter to fix. Proceed with caution! I don't know which update caused it but suspect the MS15-068 Remote Code Execution Vulnerabilities in Hyper-V.
Finished updating my 2012R2 server, and nothing happened with the Virtual Switch on that Hyper-V host.

Diary Archives