Critical updates to Windows 10, XP and Vista for June Patch Tuesday

Microsoft's June Patch Tuesday was pretty unique

This June Microsoft Patch Tuesday is pretty unique. Excluding the fact that Microsoft is attempting to address a record 94 vulnerabilities, we are seeing Microsoft provide security updates for several operating systems that are no longer supported, including Windows XP and Vista. In addition, Microsoft has moved from its usual approach of mentioning a few select security issues with its Security Advisories notes.

This month, we saw Microsoft issue a large number of high-priority issues and the incredible statement, “Microsoft is announcing the availability of additional guidance for critical security updates, that are at heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.”

Now is not the time to be relaxed about patching your environment. In addition, Microsoft is attempting to address two serious remote code execution vulnerabilities (CVE-2017-8543 and CVE-2017-8464) that have been reported as exploited in the wild. Although Microsoft no longer uses the update bulletins methodology the following product families will receive updates this month:

• Adobe Flash Player
• Internet Explorer and Microsoft Edge
• Microsoft Windows
• Microsoft .NET
• Silverlight

Adobe Flash Player

Microsoft is bundling another significant (Priority 1) Adobe Flash Player update (ADV17007) that attempts to resolve 12 reported vulnerabilities, that at worst could lead to arbitrary code execution on a compromised system. This update affects Chrome, Microsoft Edge and Internet Explorer (IE) 11. Without having to mention “threatened nation-state attacks” again, this is a “Patch Now” update from both Adobe and Microsoft.

Internet Explorer and Microsoft Edge

With a total of 32 reported vulnerabilities reported for Microsoft browsers (IE and Edge) with 10 rated as critical, seven as important, eight as moderate and seven rated as low level security issues, this is another large and important update from Microsoft. Unusually, this month Microsoft Edge has the largest number and the most serious vulnerabilities, which may be due to the increased usage of Windows 10 and its larger value to malicious hackers. Both IE and Edge updates should be considered “Patch Now” for this month.

Windows

The now venerable operating system Windows Vista has reached the end of support but given the seriousness of these reported vulnerabilities Microsoft has released two KB articles (975517 for 32-bit systems and 2347290 for 64-bit). Windows XP SP3 gets four separate updates (958644, 2347290, 4012598 and 4012583). These updates date back to early 2008 and include patches released as recently as March 2017. Adding to the complexity of this month’s series of update to currently supported and legacy operating systems, there are four separate streams for Windows 10 including: 

• Windows 10-1703: Build 15063.414 This update includes IE changes as well as core operating system changes. No new features were added with this update. Given the relatively recent release date for this release of Windows 10, the update payload includes roughly a thousand system files.
• Windows 10- 1607: Build 14393.1358 This cumulative update includes all previous fixes and updates for this one year old OS and whilst it does not have any reported known issues, it updates around 1200 system files.
• Windows 10-1511: Build 10586.962 No known issues reported for this cumulative update and around 1300 system files are included in the patch payload.
• Windows 10-1507: Build 10240.17443 Following the Microsoft support lifecycle for Windows 10, the very first release of Windows 10 (Release 1507) is no longer supported.

You can find out more about Microsoft’s platform lifecycles with this “fact sheet.” If you installed the first release of Windows 10 and have not moved up to later builds, this June Patch Tuesday will be your last. Microsoft has released a helpful table detailing how long each release is supported, which can be found here. This build is no longer supported even if you chose the enterprise Long Term Servicing Branch option.

There are several known issues with this June update from Microsoft. If you use or have iSCSI devices, you may want to check out this Knowledge base article KB4022717. Given all of the concerns regarding the large number of updates and potential live and exploited vulnerabilities for this month, all Windows updates should be considered as “Patch Now.” Obviously, this is not sustainable. We can’t have a crisis all of the time. Let’s hope that next month will be different.

Microsoft .NET

This June patch cycle brings us a complete version update to the core Microsoft .NET development framework with the release of .NET 4.7. Moving from Microsoft .NET 4.6.2 to version 4.7 will bring some potential compatibility issues, and Microsoft has provided some release notes and a API “difference” log found here. Some of the major improvements and changes included in .NET 4.7 include:

• High DPI support for Windows Forms applications on Windows 10
• Touch support for WPF applications on Windows 10
• Enhanced cryptography support
• Performance and reliability improvements

This is a major update and Microsoft has chosen to use Microsoft update to distribute this latest version of .NET. At present, Microsoft has chosen to “throttle” the release of .NET 4.7 with a slower, staged release. For those who require an immediate download of the latest binaries, you can choose to force the download through exercising the “Check for updates” option on your update settings panel. There is also an offline installation package available here. There are no immediate security issues driving this .NET update and I suggest thorough testing by your development team before full scale deployment.

Microsoft Office

This month, Microsoft released a number of relatively minor updates to all the supported versions of Microsoft Office (Office 2013 down to Office for Mac 2011) which can be found here. The real concern for this June Patch Tuesday is the update to Skype for Business which resolves a reported vulnerability (CVE-2017-0283) which could lead to a remote execution security scenario. This makes the Skype for business update a “Patch Now” release and the remainder of the Office updates should follow your standard patch release schedules. 

Microsoft Silverlight

The Silverlight web development platform was the Microsoft equivalent of Adobe Flash and official support has now ended. Though nowhere near as vulnerable to security issues as Adobe Flash, there are two vulnerabilities (CVE-2107-0283 and CVE-2017-8527) that are rated as critical by Microsoft. These updates apply to both 32-bit and 64-bit systems but not Apple Mac systems. You can find the complete Silverlight release history here.

This is huge month for patches from Microsoft with several severe vulnerabilities that could lead to a complete compromise of targeted systems. Some of these vulnerabilities have already been reported in the wild and could prove difficult to resolve once a system has been attacked. Given the recent release of further NSA related hacking tools and Microsoft’s decision to support legacy systems such as Windows XP, responsible organisations must take this opportunity to update their systems and ensure that keep their systems updated, even as Microsoft and other vendors increase their pace of change and the cadence of subsequent patches.