FacebookPixel

PatchTuesday.png

AUGUST 2015

Bulletin ID

Bulletin Title and Executive Summary

Maximum Severity Rating
and Vulnerability Impact

MS15-079

Cumulative Security Update for Internet Explorer (3082442) 
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical 
Remote Code Execution

MS15-080

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662)  
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts. 

Critical 
Remote Code Execution

MS15-081

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3080790) 
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical 
Remote Code Execution

MS15-082

Vulnerabilities in RDP Could Allow Remote Code Execution (3080348) 
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s current working directory and then convinces the user to open a Remote Desktop Protocol (RDP) file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

Important 
Remote Code Execution

MS15-083

Vulnerability in Server Message Block Could Allow Remote Code Execution (3073921) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted string to SMB server error logging. 

Important 
Remote Code Execution

MS15-084

Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) 
This security update resolves vulnerabilities in Microsoft Windows and Microsoft Office. The vulnerabilities could allow information disclosure by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0. However, in all cases an attacker would have no way to force users to click a specially crafted link. An attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.

Important 
Information Disclosure

MS15-085

Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487)  
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it.

Important 
Elevation of Privilege

MS15-086

Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege (3075158) 
This security update resolves a vulnerability in Microsoft System Center Operations Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website. 

Important 
Elevation of Privilege

MS15-087

Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed.

Important 
Elevation of Privilege

MS15-088

Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458)  
This security update helps to resolve an information disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.

Important 
Information Disclosure

MS15-089

Vulnerability in WebDAV Could Allow Information Disclosure (3076949) 
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. 

Important 
Information Disclosure

MS15-090

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3060716) 
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox.

Important 
Elevation of Privilege

MS15-091

Cumulative Security Update for Microsoft Edge (3084525) 
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical 
Remote Code Execution

MS15-092

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251) 
This security update resolves vulnerabilities in Microsoft .NET Framework. The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so.

Important 
Elevation of Privilege