Microsoft's June Patchday 2015 comes with eight security bulletins, the only ones that are critical: An update package for Internet Explorer and an upgrade for Windows Media Player. A patch was apparently withdrawn before the release.
The most recent cumulative update for Internet Explorer (IE) fixes several security holes. The worst bugs can allow an attacker to execute code on the vulnerable system (Remote Code Execution, RCE). For this, the user would have to call a specially designed website. Particularly vulnerable are client computers with Windows 8.1, Windows 7 and Vista.
Affected are all browser versions of IE 11 to 6. Amongst other things, the update MS15-056 ensures that an attacker can not access the browser history from a maliciously crafted website. The update also adds additional authorization checks and changes how IE processes objects in memory.
A critical vulnerability has been found in Windows Media Player that is vulnerable to versions 10, 11, and 12. In this case too, remote code execution may occur if the user navigates to a dedicated web page containing malicious media content.Remedy is the security bulletin MS15-057 create. The update addresses the vulnerability by correcting how the Media Player handles DataObject objects.
In the list missing information about the patch with the identifier MS15-058, apparently the update was withdrawn at short notice. The remaining security bulletins are all considered important.
It starts with the patch MS15-059 for MS Office 2007, 2010, 2013 and 2013 RT. This changes how Microsoft Office processes open files in memory, thus preventing a potential RCE. The same is the update MS15-060 , which addresses a vulnerability in Microsoft common controls.
Multiple security issues in Windows kernel-mode drivers and in the Avtive Directory Federated Services may increase elevation of privilege (EoP). This should be counteracted by the security bulletins MS15-061 and MS15-062 .
Additional EoP vulnerabilities were found in the Windows kernel and the Microsoft Exchange Server. These should be a thing of the past with the security bulletins MS15-063 and MS15-064 . Since a vulnerability sometimes affects different products, it may be that in the end significantly more updates come together.
