June’s Patch Tuesday is lighter weight compared to previous months. In all, 51 unique CVEs are addressed, with 11 CVEs marked as Critical. Adobe also released an out-of-band update for a Flash Player vulnerability last week, which is being actively exploited.
Speculative Store Bypass
Microsoft released patches for Speculative Store Bypass, also known as Spectre Variant 4. These patches enable Speculative Store Bypass Disable (SSBD) for Intel processors. New Intel microcode will be required to be fully protected against Variant 4.
Windows DNSAPI
Patches were released for vulnerabilities in the Windows DNSAPI. This could allow an attacker to compromise a system through a malicious DNS server. Mobile workstations that may connect to untrusted wifi are at high risk and this patch should be a priority for them.
HTTP Protocol
A critical flaw in Microsoft’s HTTP.sys is also fixed in this release. HTTP.sys is a kernel-mode protocol listener that is used by IIS and various services in Windows. An attacker exploiting this vulnerability could obtain full control of an impacted system. This patch should be prioritized for all Windows systems, servers and desktops.
Browsers and Scripting Engine
The other critical Microsoft patches are primarily for browsers, the Windows Scripting Engine, and Windows Media Foundation. These patches should be prioritized for workstation-type devices.
Adobe
Adobe released an out-of-band update for a Flash Player vulnerability last week. This vulnerability is being actively exploited according to Adobe, and should be prioritized for workstation-type devices. In May, another out-of-band update was released for Adobe Reader, which also has a publicly available exploit. This patch should also be prioritized for impacted workstations.
Executive Summary
- Microsoft released security updates for all client and server operating systems that are supported by the company.
- All versions of Windows are affected by at least one critical security vulnerability.
- Support for Speculative Store Bypass Disable (SSBD) was added but is not enabled by default.
- Microsoft released security updates for the following products as well: Internet Explorer, Microsoft Edge, Microsoft Office, Adobe Flash Player.
Operating System Distribution
- Windows 7: 9 vulnerabilities of which 2 are rated critical and 7 important.
- Windows 8.1: 8 vulnerabilities of which 2 are rated critical and 6 important.
- Windows 10 version 1607: 25 vulnerabilities of which 4 are rated critical and 21 important.
- Windows 10 version 1703: 25 vulnerabilities of which 3 are rated critical and 22 important.
- Windows 10 version 1709: 27 vulnerabilities of which 4 are rated critical and 23 important.
- Windows 10 version 1803: 26 vulnerabilities of which 4 are rated critical and 22 important.
Windows Server products
- Windows Server 2008 R2: 9 vulnerabilities which 2 are rated critical and 7 important.
- Windows Server 2012 and 2012 R2: 8 vulnerabilities which 2 are rated critical and 6 important.
- Windows Server 2016: 24 vulnerabilities of which 4 are rated critical and 22 important.
Other Microsoft Products
- Internet Explorer 11: 4 vulnerabilities, 2 critical, 2 important
- Microsoft Edge: 7 vulnerabilities, 3 critical, 4 important
Direct update downloads
Updates for all supported versions of Windows may also be downloaded from the Microsoft Update Catalog website.
Windows 7 SP1 and Windows Server 2008 R2 SP
- KB4284826 — 2018-06 Security Monthly Quality Rollup for Windows 7
- KB4284867 — 2018-06 Security Only Quality Update for Windows 7
Windows 8.1 and Windows Server 2012 R2
- KB4284815 — 2018-06 Security Monthly Quality Rollup for Windows 8.1
- KB4284878 — 2018-06 Security Only Quality Update for Windows 8.1
Windows 10 and Windows Server 2016 (version 1607)
- KB4284880 — 2018-06 Cumulative Update for Windows 10 Version 1607
Windows 10 (version 1703)
- KB4284874 — 2018-06 Cumulative Update for Windows 10 Version 1703
Windows 10 (version 1709)
- KB4284819 — 2018-06 Cumulative Update for Windows 10 Version 1709
Windows 10 (version 1803)
- KB4284835 — 2018-06 Cumulative Update for Windows 10 Version 1709