Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-689 on Wednesday, September 14th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS16-113MS16-115 |
MS16-104MS16-105MS16-107MS16-111MS16-112MS16-114MS16-116MS16-117 |
MS16-108 |
MS16-106MS16-110 |
|||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-104 | Cumulative Security Update for Internet Explorer | KB3183038 |
| MS16-105 | Cumulative Security Update for Microsoft Edge | KB3183043 |
| MS16-106 | Security Update for Microsoft Graphics Component | KB3185848 |
| MS16-107 | Security Update for Microsoft Office | KB3185852 |
| MS16-108 | Security Update for Microsoft Exchange Server | KB3185883 |
| MS16-109 | Security Update for Silverlight | KB3182373 |
| MS16-110 | Security Update for Microsoft Windows | KB3178467 |
| MS16-111 | Security Update for Windows Kernel | KB3186973 |
| MS16-112 | Security Update for Windows Lock Screen | KB3178469 |
| MS16-113 | Security Update for Windows Secure Kernel Mode | KB3185876 |
| MS16-114 | Security Update for Windows SMBv1 Server | KB3185879 |
| MS16-115 | Security Update for Microsoft Windows PDF Library | KB3188733 |
| MS16-116 | Security Update in OLE Automation for VBScript Scripting Engine | KB3188724 |
| MS16-117 | Security Update for Adobe Flash Player | KB3188128 |
MS16-104
This month’s Patch Tuesday starts like most others, with an Internet Explorer update which addresses issues related to IE’s handling of zone and integrity settings, cross-origin content, objects in memory, and .URL files. Keep in mind this month that CVE-2016-3375 is not fully resolved until both IE update 3185319 and OLE Automation update 3184122 (MS16-116). Additionally, it’s good to offer a reminder that at the start of the year, Microsoft declared a number of IE products end-of-life. If you’re still running one of these EOL browsers, do not take this bulletin to mean you aren’t vulnerable. Microsoft only lists supported software in the affected software list. CVE-2016-3351 has been exploited.
MS16-105
As is often the case, this month’s Microsoft Edge bulletin shares quite a bit of overlap with the Internet Explorer bulletin. Additionally, vulnerabilities in the Chakra JavaScript engine and an ASLR bypass are resolved with this update.
MS16-106
This bulletin resolves a variety of vulnerabilities affecting Win32k and GDI including code execution, privilege escalation, and information disclosure. One of the more interesting takeaways from this bulletin is that the critical code execution vulnerability only affects the latest release of Windows 10 (build 1607).
MS16-107
This month’s Microsoft Office update addresses a massive list of affected software covering both Microsoft Office suites and standalone products, various Office Viewers, SharePoint, Office Web Apps, and Office Online Server. One of the more interesting vulnerabilities in this bulletin is CVE-2016-3366, which addresses a vulnerability in Microsoft Outlook. Specifically, Microsoft Outlook does not adhere to RFC2046, MIME Part Two: Media Types, which may lead to mail bypassing antivirus and antispam solutions.
MS16-108
In addition to the three Microsoft Exchange specific vulnerabilities addressed by this bulletin, 18 CVEs from the Oracle July 2016 CPU related to the Oracle Outside In libraries are addressed.
MS16-109
Up next, we have a single vulnerability in Microsoft Silverlight, which was resolved by changing how Silverlight allocates memory when inserting and appending strings in StringBuilder.
MS16-110
MS16-110 resolves a number of Windows specific vulnerabilities, the most interesting of which is CVE-2016-3352. This information disclosure vulnerability could allow Windows account credentials to be leaked as NTLM password hashes by forcing a user to visit a malicious website or SMB server. The patch changes the situations in which NTLM SSO authentication can be sent to non-private services. CVE-2016-3352 has been publicly disclosed.
MS16-111
This bulletin resolves a number of privilege escalation vulnerabilities in the Windows kernel.
MS16-112
This bulletin resolves a single privilege escalation in the Windows Lock Screen. In order to exploit this vulnerability, an attacker must have physical access to the computer and must connect to malicious hotspot.
MS16-113
MS16-113 resolves a single Windows Secure Kernel Mode information disclosure vulnerability that only affects Windows 10.
MS16-114
One of the more interesting vulnerabilities this month, MS16-114 describes a single vulnerability that could lead to code execution against servers running SMBv1. An attacker must be able to authenticate to the host and open files in order to successful explain the system. In addition to the patch, Microsoft has released steps on turning off SMBv1 for systems that cannot be immediately patched.
MS16-115
This bulletin resolves two information disclosure vulnerabilities in the Microsoft PDF Library, which has been showing up quite regularly since its release. If the two CVEs mentioned here look familiar, it’s because they were also referenced in the Microsoft Edge bulletin (MS16-105).
MS16-116
The penultimate update this month addresses a single vulnerability that exists in the interaction between the OLE Automation mechanism and the VB Script Scripting engine in IE. This is the same vulnerability found in MS16-104 and both updates must be installed to fully remediate the vulnerability.
MS16-117
The final bulletin this month is the Adobe Flash Player bulletin, which echoes the vulnerabilities found in APSB16-29. Remember that you may need to install both the Microsoft and Adobe updates, depending on the software installed on your system. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
