Microsoft has released 14 bulletins – four “critical” and 10 ranked “important” – as part of its Patch Tuesday update, which also marks the end of support for Windows Server 2003.
According to a security bulletin summary published Tuesday by the tech giant, July's critical patches resolved remote code execution (RCE) flaws impacting Windows and Internet Explorer (IE). One of the critical bulletins was a cumulative update for IE, MS15-065, which addressed CVE-2015-2425 uncovered in the recent Hacking Team leak.
Of note, bulletin MS15-077, ranked “important,” resolved a vulnerability in Adobe Type Manager Font Drive that could allow elevation of privilege, CVE-2015-2387. The bug was also exposed in the Hacking Team 400 GB data dump, in which hackers published the details of exploits the Italian firm sold.
The other nine “important” Microsoft patches released Tuesday addressed vulnerabilities in Microsoft SQL Server, Windows, and Office allowing RCE, as well as flaws in Windows allowing elevation of privilege.
Wolfgang Kandek, CTO of Qualys, wrote in a Tuesday blog post that, this month, users should be sure to employ patches released by both Microsoft and Adobe addressing bugs subject to active exploit: CVE-2015-2387 and CVE-2015-2424 fixed by Microsoft, and Flash Player zero-days, CVE-2015-5122 and CVE-2015-5123, fixed in a separate Adobe update.
He added that final fixes for Windows Server 2003 were included in the July Patch Tuesday roundup.
“July is the last month of patches for Windows Server 2003,” Kandek wrote. “Nine of the 14 bulletins affected Windows Server 2003. That is a clear indication that attackers will continue to find issues in Windows 2003 at roughly that rate…There are only two things to do to avoid that threat, migrate away from Server 2003 or pay Microsoft for the necessary patches through a special support contract,” he said.