Microsoft’s June Patch Tuesday offering issued 16 update bulletins with five rated critical covering 44 CVEs, which equaled the number posted last month, but with three fewer critical issues.
Topping the list are the critical rated MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071, all of which if left unpatched could allow remote code execution.
The applications that suffer from the issues are: Windows, Internet Explorer, Edge and Office and Office services and web apps. The remaining 11 bulletins all had an “important” rating.
MS16-071 is one of the vulnerabilities that could allow an unauthenticated attacker to send a specially crafted DNS request and would allow them to run the code as the local system account.
MS16-070 fixes a number of problems in Microsoft Office. The most important vulnerability here is CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker. Since RTF can end up used to attack through Outlook’s preview pane, the flaw is can end up triggered with an email without user interaction.
Of the remaining updates, MS16-075 and MS16-076 resolve vulnerabilities in Windows and Netlogon. MS16-075 and MS16-076 share a security update for the server platforms. This means one less patch to install in those environments. It also addresses two vulnerabilities, particularly with MS16-075. The ability to forward authentication from one service to another is a difficult flaw, but Microsoft said the attacker must have authenticated access to the system, mitigating some of the risk.
Click here to view the entire bulletin.