June's Patch Tuesday is remarkably light

Microsoft's monthly release of security updates arrived today, right on schedule. The June 2015 list contains eight items, with two of them rated Critical. That has to be good news for IT pros who've struggled with an abundance of updates in recent months.

There's even better news for anyone running Windows 8.1 or Windows 10, because one of those two Critical security updates applies only to Windows 7 and earlier versions.

This is the mercifully short list of updates in the Important category on a system running Windows 8.1 with Office 365.

MS15-056 is the monthly Cumulative Security Update for Internet Explorer (3058515). It includes fixes for more than 20 newly reported vulnerabilities, many of them from HP's Zero Day Initiative, and should be considered a mandatory update on any system, desktop or server, running any modern version of Windows.

MS15-057 addresses a vulnerability in Windows Media Player (KB3033890) that could allow remote code execution. It is rated Critical for Windows 7, Windows Vista, and Windows Server 2008 R2 and earlier versions.

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read now

Four of the remaining six updates affect Windows. The most interesting is MS15-061, which includes fixes for 11 Windows kernel vulnerabilities. Of that total, seven were reported as part of Google Project Zero and apparently fixed before Google's automatic disclosure was triggered.

MS15-062 applies to servers running Active Directory Federation Services.

MS15-059 patches a vulnerability in Microsoft Office 2010 and 2013; Office 365 subscribers receive this and other updates automatically. (Two of the vulnerabilities were reported via Google Project Zero.)

MS15-064 addresses an issue in Microsoft Exchange Server that can result in elevation of privilege

There's also one mystery in this month's list. Microsoft reserved nine numbers for its June 2015 bulletins, but MS15-058 is nowhere to be found, and its associated Knowledge Base page contains placeholder text. That strongly suggests an update was pulled at the very last minute.

As usual, the Patch Tuesday delivery also includes a number of Recommended updates, which will be installed automatically if that option is enabled in Windows Update. Besides the monthly compatibility update, most are fixes for relatively obscure bugs.

Maybe this month's light load is a sign that this will be a quiet summer for anyone involved in IT security. One can dream, right?

Hacking vulnerabilities with the Internet of Things: Risks and security loopholes