In many Windows versions, there is a critical gap in the DNS programming interface. Security updates are available.
On Patchday in June, Microsoft secures Edge, Internet Explorer, Office, and Windows. In total, security updates iron out 50 errors that endanger the security of computers. Eleven vulnerabilities are considered “critical”. Microsoft classifies the patches for the remaining 39 gaps as “important”.
Remote code execution
The most critical gap this month is in the Windows Domain Name System (DNS) DNSAPI.dll. For a successful attack, an attacker only needs to send a prepared DNS response to a vulnerable system via a DNS server. It should then be able to execute malicious code. This affects Windows 7 to 10 and various editions of Windows Server.
A critical gap in Internet Explorer was known in advance, but so far there have been no attacks, according to Microsoft. For a successful attack, a visit to a website specially prepared by attackers should be sufficient. Microsoft warns that the initialization of an attack can also take place via prepared advertising elements that an arbitrary website obtains from an advertising network. If an attack is successful, an attacker should be able to execute malicious code with the rights of the victim. If a victim has admin rights, a computer is considered compromised.
Such memory error gaps also gape in Edge. The attack scenario is similar. Alternatively, attacks should also be possible via manipulated documents that a victim must open.
Attacks on Flash Player
Adobe released an emergency patch for its Flash Player last week. Attackers are currently exploiting a gap and are targeting Windows users. Issue 30.0.0.113 is secured. Under Windows 8.1 and 10, Internet Explorer 11 and Edge automatically receive the latest Flash version.
Important security updates
Other vulnerabilities can be found in various Windows components such as Kernel and Device Guard. If attackers exploit the gaps, they should, among other things, be able to gain access to information that is actually sealed off. Bypassing security mechanisms and obtaining higher user rights is also possible.
Microsoft provides information about the patched vulnerabilities in the Security Update Guide. However, the list is anything but clear. A much better list can be found in the Patchday blog article by Cisco Talos.