15 June 2016

This month Adobe and Microsoft have decided to issue 45 updates for their products, patching everything they can.

Adobe released 5 security advisories patching 6 vulnerabilities in Adobe DNG SDK, Brackets, Creative Cloud and ColdFusion. Zero-day vulnerability CVE-2016-4171, discovered by Kaspersky Lab, was not patched though. The vendor has promised to issue an update later this week.

We recommend users to disable Adobe Flash until the patched is available, or at least install EMET to mitigate potential exploitation risk, since this vulnerability is being actively exploited by hackers. Below is a table with brief review of patched for Adobe:

Software Severity CVE/CVSS Known exploits APSA16-03: Security Advisory for Adobe Flash Player Adobe Flash Player Critical CVE-2016-4171

9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] Exploited in the wild APSB16-19: Security update available for the Adobe DNG Software Development Kit (SDK) Adobe DNG SDK High CVE-2016-4167

9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] No APSB16-20: Security update available for Adobe Brackets Adobe Brackets Low CVE-2016-4164

6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]

CVE-2016-4165

6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] No APSB16-21: Security update available for the Creative Cloud Desktop Application Creative Cloud High CVE-2016-4157

9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]

CVE-2016-4158

9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] No APSB16-22: Security Update: Hotfixes available for ColdFusion ColdFusion Low CVE-2016-4159

6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] No

Microsoft Patched 39 vulnerabilities in 16 security bulletins, including 3 vulnerabilities in Oracle Outside In libraries, used by Microsoft Exchange server.

None of the vulnerabilities are zero-days this time. However, several of them may cause serious security issues.

The most dangerous vulnerability in our opinion is remote code execution in DNS server CVE-2016-3227. There is not publicly known exploits for this vulnerability yet, but given the wide usage of DNS services, we strongly recommend patching this vulnerability ASAP.

Please, note: vulnerability CVE-2016-3213, described in MS16-063, is not completely fixed by this patch and requires installation of MS16-077 to be fully protected from this vulnerability. The vulnerability resides within Web Proxy Auto Discovery (WPAD) protocol, which incorrectly handles NetBIOS names. This vulnerability can be exploited both locally and remotely via Internet Explorer attack vector.

Vulnerability CVE-2016-0025 in Microsoft Office (MS16-070) is extremely dangerous, because it is being exploited by leveraging built-in preview pane protection mechanism, intended to protect users from opening dangerous files.

Here is the table with brief review of released patches from Microsoft: