VERT Threat Alert: October 2016 Patch Tuesday Analysis

Image

Today’s VERT Alert addresses 10 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-693 on Wednesday, October 12th.

EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE

MS16-118

Up first this month, we have the typical Internet Explorer update. We also have a historic bulletin, as MS16-118 will go down in history as the first bulletin to contain a reference to the Monthly Roll-up and Security Only bundles from Microsoft. The bulletin itself is relatively standard without any real surprises. The only real note is that for CVE-2016-3298, both MS16-118 and MS16-126 must be installed on Windows Vista and Server 2008 platforms. CVE-2016-3298 has been exploited.

MS16-119

The monthly Edge update is a rather typical round up of Edge-related vulnerabilities with the usual select of issues that also impact Internet Explorer. Interestingly, while both browsers are impacted by a publicly exploited vulnerability, they are different vulnerabilities. CVE-2016-7189 has been exploited.

MS16-120

Up next, we have an exercise in complexity. The Microsoft Graphics Component update fixes vulnerabilities related to TTF, GDI+, and Win32k across a number of products including Windows, .NET, Office, Lync, and Silverlight. The end result is a massive number of available patches and updates. CVE-2016-3393 has been exploited.

MS16-121

This month’s Office update resolves a single vulnerability impacting all supported versions of Office. Attackers could exploit this vulnerability with a malicious RTF file. CVE-2016-7193 has been exploited.

MS16-122

MS16-122 resolves a single vulnerability in the Microsoft Video Control. This vulnerability can be exploited via the Preview Pane, which is why it has been identified critical.

MS16-123

Up next, we have a security update for Windows Kernel-Mode drivers. This is a great bulletin to demonstrate the intended benefit of the new Monthly Roll-up from Microsoft. You can see that multiple patches are required for Windows Vista and Server 2008, while newer platforms offer two choices, monthly roll-up or security only update.

MS16-124

The MS16-124 bulletin fixes a number of issues with the Windows Kernel API and Windows Registry that allow authenticated users to gain access to information that should be restricted.

MS16-125

A single vulnerability in the Windows Diagnostics Hub that could allow privilege elevation on Windows 10 is patched in MS16-125. A custom application could be executed on the host that will incorrectly load malicious libraries, leading to full control of the system.

MS16-126

The penultimate update this month resolves a vulnerability in the Microsoft Internet Messaging API. This is the second updated required along side MS16-118 to resolve CVE-2016-3298 on Windows Vista and Server 2008. CVE-2016-3298 has been exploited.

MS16-127

The final update this month resolves a number of vulnerabilities in Adobe Flash. The vulnerabilities covered in MS16-127 are also covered by Adobe Security Bulletin APSB16-32.   As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.