Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-680 on Wednesday, July 13th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS16-089 MS16-091 MS16-092 MS16-094 | MS16-084 MS16-085 MS16-086 MS16-088 MS16-093 | MS16-087 MS16-090 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
|
MS16-084 |
Cumulative Security Update for Internet Explorer | KB3169991 |
|
MS16-085 |
Cumulative Security Update for Microsoft Edge | KB3169999 |
|
MS16-086 |
Cumulative Security Update for JScript and VBScript | KB3169996 |
|
MS16-087 |
Security Update for Windows Print Spooler Components | KB3170005 |
|
MS16-088 |
Security Update for Microsoft Office | KB3170008 |
|
MS16-089 |
Security Update for Windows Secure Kernel Mode | KB3170050 |
|
MS16-090 |
Security Update for Windows Kernel-Mode Drivers | KB3171481 |
|
MS16-091 |
Security Update for .NET Framework | KB3170048 |
|
MS16-092 |
Security Update for Windows Kernel | KB3171910 |
|
MS16-093 |
Security Update for Adobe Flash Player | KB3174060 |
|
MS16-094 |
Secure Boot Security Feature Bypass Vulnerability | KB3175677 |
MS16-084
This month starts off like most others, with an update that resolves 15 vulnerabilities in Internet Explorer. In a rare occurrence, none of these vulnerabilities have been disclosed publicly this month. Once again, a number of the vulnerabilities overlap with the Microsoft Edge vulnerabilities resolved by MS16-085.
MS16-085
Following the Internet Explorer update, we have the Microsoft Edge update, which contains quite a bit of overlap with the MS16-084 bulletin and only a few unique vulnerabilities. Like Internet Explorer, none of these vulnerabilities were publicly disclosed.
MS16-086
Next, we have an update to JScript and VBScript, another monthly regular lately. You’ll notice overlap with the Internet Explorer. This update only applies to users without Internet Explorer or with IE7 installed; all other users are covered after installing the Internet Explorer update (MS16-084).
MS16-087
One of the more unique bulletins this month is MS16-086, resolving a pair of vulnerabilities affecting the Windows Print Spooler, which hasn’t seen an update in several years. One of these vulnerabilities allows a malicious print server or MitM to install malicious print drivers. The update addresses the vulnerability by issuing a warning to users attempting to install untrusted drivers. This is important to note, as the bulletin does not state that it prevents the installation of these drivers. This means that user education should be associated with this update.
MS16-088
A number of vulnerabilities in both the Microsoft Office Suite and Microsoft Office WebApps are addressed in this bulletin. One of the more important points to pay attention to is the mention that several of the vulnerabilities can be exploited via the Preview Pane. Thankfully, none of the vulnerabilities in this bulletin have been publicly disclosed or exploited.
MS16-089
This next bulletin describes a single information disclosure vulnerability that only affects Windows 10, allowing someone logged into the system to access sensitive information.
MS16-090
Another monthly regular, the Windows Kernel-Mode Drivers bulletin resolves a number of vulnerabilities impacting Win32k.
MS16-091
While we frequently see .NET in the monthly bulletin summary, we rarely see it contain only a single information disclosure vulnerability. The vulnerability could allow an attacker to read files, if they can find an application that will parse their malicious XML file.
MS16-092
A pair of vulnerabilities affecting the Windows Kernel are resolved by MS16-092. CVE-2016-3272 has been publicly disclosed.
MS16-093
The penultimate update this month, MS16-093, is actually APSB16-025 in disguise and references a number of Adobe Flash Player vulnerabilities.
MS16-094
We end the month with an update to Secure Boot that resolves a vulnerability affecting Windows 8.1 and newer. Given that this vulnerability was disclosed publicly and the bulletin was included after Flash Player, which is traditionally the final bulletin of the month, Microsoft may have moved quickly to release this patch. If that is true, thoroughly test this patch before deploying it in your environment. CVE-2016-3287 has been publicly disclosed.
Additional Details
Adobe has released APSB16-25 for Flash Player and APSB16-26 for Acrobat and Reader. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
