This month's patches from Microsoft and Adobe have reached general release - with Oracles feared July patches just around the corner.AdobeAdobe updated both Flash and Shockwave Player (for those of you still using it), but only the Flash update received mention. The updates fixes a number of undisclosed vulnerabilities, including at least one Remote Code Execution (RCE) vulnerability. The new Flash Player version numbers to look out for are 14.0.0.145 on both Windows and OS X.Cloud Device expects to release the new Adobe patches within 72 hours.MicrosoftMicrosoft has released six bulletins for this months Patch Tuesday, addressing a total of 29 vulnerabilities, plus three security related security advisories. Two of the bulletins are critical and can be used to get to Remote Code Execution (RCE).This month's biggest update is also the highest priority one: MS14-037 addresses 24 vulnerabilities in Internet Explorer (IE), almost all user-after-free type vulnerabilities and is valid for all versions (6-11) of Microsoft's browser. Its exploitability index is "1", which means Microsoft rates it as relatively easy (less than 30 days of time) to reverse engineer the vulnerabilities and develop an exploit.Cloud Device expects to release the new Microsoft patches within 48 hoursThe other Microsoft updates are:MS14-038 (KB 2975689) deals with a critical vulnerability in Journal of Windows Vista, 7, 8, 8.1, RT and RT 8.1. The security hole allows remote code execution with the rights of current user just by opening a malicious Journal (.jnt) file.MS14-039 (KB 2975685) addresses an important elevation of privilege flaw in On-Screen Keyboard (OSK). Attacker could misuse the context of a low-integrity process to launch OSK and then upload a malicious program to gain administrative rights on the affected computer. All supported versions of Windows (Vista - 8.1, and RT/RT 8.1) are affected.MS14-040 (KB 2975684) plugs another important elevation of privilege hole in all supported versions of Windows. Attackers can misuse how Ancillary Function Driver (AFD) fails to properly validate input before passing the input from user mode to the Windows kernel for running a malicious program. Successful attack requires having valid user name and password and the ability to log on locally (not over network).MS14-041 (KB 2975681) squashes yet another important elevation of privilege bug in Windows Vista, 7, 8 and 8.1 (RT versions are not affected). The memory handling flaw in DirectShow requires first exploiting another vulnerability in low-integrity process to launch malicious code with the rights of currently logged on user.The last bulletin, MS14-042 (KB 2972621) addresses a Denial of Service vulnerability in Microsoft Service Bus for Windows server. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a specifically crafted program. Note that the Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system. For an affected system to be vulnerable Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users.Links to detailed technical information on these patches, and a list of fixes for Microsoft Server products is available at this Microsoft TechNet page.OracleOracle is due to issue its next Critical Patch Update - the massive, quarterly fix-it fests that deliver security updates across the company's entire product line, including Java - on July 15.We will send out additional information on the specific Java patches as the information are released by OraclePlease dont hesitate to contact us if you have any additional questions regarding Cloud Device and our Software Update service.
