VERT Threat Alert: August 2016 Patch Tuesday Analysis

Image

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-684 on Wednesday, August 10th.

EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE

MS16-095

As with all Patch Tuesday’s, the first bulletin released this month belongs to Internet Explorer. While a few of the CVEs are unique to Internet Explorer, IE and Edge share the bulk of the CVEs. One of the more interesting notes about this bulletin is a mitigation, which reads: “For CVE-2016-3321 only: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.” It is rare to see an Internet Explorer issue limited to such a specific scope.

MS16-096

The partner bulletin of MS16-095, this month’s second bulletin is the Microsoft Edge update. As was mentioned above, a number of vulnerabilities exist across both bulletins but they also contain unique vulnerabilities as well. Of the two CVEs not found in MS16-095, one is also included in MS16-102, leaving CVE-2016-3296 as the only unique CVE in this bulletin. This CVE describes a vulnerability in the Chakra JavaScript scripting engine.

MS16-097

The next bulletin this month is one of the mega-bulletins that we see from time to time. Instead of covering a single product or product family, this bulletin applies to a wide range of product families. In this case, Microsoft Windows, Office 2007, Office 2010, Skype for Business, and Lync are all patched by this bulletin. There’s an interesting note in the update FAQ for this product:

I am running Office 2010, which is listed as affected software. Why am I not being offered the update?  The update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present.  This means that Microsoft Office 2010 is only vulnerable when installed on an unsupported operating system.

MS16-098

Up next, we have a staple in the monthly patch bundle, an update to Windows Kernel-Mode Drivers, specifically Win32k. This bulletin resolves four privilege escalation vulnerabilities.

MS16-099

This month’s Microsoft Office bulletin resolves flaws across all supported versions of Microsoft Word, Office, and OneNote. One important note about this bulletin is that CVE-2016-3316 has been marked critical because it can be exploited via the Preview Pane. For this reason, it is important to make this update a priority.

MS16-100

The 100^th bulletin of the year resolves a vulnerability in Windows Secure Boot that could allow an attacker to bypass Integrity Validation for BitLocker and Device Encryption as well as bypass higher level protection mechanisms. This could allow attackers to disable integrity checks, and load test-signed executable and drivers.

MS16-101

Up next, we have two vulnerabilities related to Windows authentication. The first fixes insecure Netlogon communication with domain controllers while the second prevents Kerberos authentication from falling back to NTLM during failed password change attempts.

MS16-102

The penultimate update this month resolves a vulnerability in the Microsoft PDF library. This CVE was also referenced in the Microsoft Edge cumulative update.

MS16-103

The final bulletin this month is a Windows 10 fix for a vulnerability in ActiveSyncProvider that makes it possible for Universal Outlook to disclose user credentials by failing to properly establish secure communication with the target server.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.