VERT Threat Alert: June 2016 Patch Tuesday Analysis | Tripwire

VERT Threat Alert: June 2016 Patch Tuesday Analysis

Posted on June 15, 2016
VERT Threat Alert: April 2017 Patch Tuesday Analysis
Today’s VERT Alert addresses 16 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-675 on Wednesday, June 15th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
 MS16-082
 MS16-075
No Known Exploit
MS16-077
 MS16-081
MS16-063 MS16-068 MS16-069 MS16-070 MS16-076 MS16-080
MS16-072 MS16-079
MS16-073 MS16-074 MS16-078
 MS16-071
Exposure
Local Availability
Local Access
Remote Availability
Remote Access
Local Privileged
Remote Privileged
MS16-063 Cumulative Security Update for Internet Explorer KB3163649
MS16-068 Cumulative Security Update for Microsoft Edge KB3163656
MS16-069 Cumulative Security Update for JScript and VBScript KB3163640
MS16-070 Security Update for Microsoft Office KB3163610
MS16-071 Security Update for Microsoft Windows DNS Server KB3164065
MS16-072 Security Update for Group Policy KB3163622
MS16-073 Security Update for Windows Kernel-Mode Drivers KB3164028
MS16-074 Security Update for Microsoft Graphics Components KB3164036
MS16-075 Security Update for Windows SMB Server KB3164038
MS16-076 Security Update for Netlogon KB3167691
MS16-077 Security Update for WPAD KB3165191
MS16-078 Security Update for Windows Diagnostic Hub KB3165479
MS16-079 Security Update for Microsoft Exchange Server KB3160339
MS16-080 Security Update for Microsoft Windows PDF KB3164302
MS16-081 Security Update for Active Directory KB3160352
MS16-082 Security Update for Microsoft Windows Search Component KB3165270

MS16-063

This is the second month that we see MS16-063 listed in the VERT Alert. Last month, this bulletin referenced the Microsoft Exchange update but was pulled a few moments after it’s release and replaced with the text ‘Content Placeholder’. Although Exchange has been released this month, you’ll find it further down the list as this bulletin now describes a security update for Internet Explorer. One interesting note regarding this bulletin is CVE-2016-3213, which is referenced in both MS16-063 and MS16-077. Both updates must be applied to fully resolve this vulnerability, so Tripwire IP360 will perform that detection in a single vulnerability related to MS16-077.

MS16-068

The second bulletin this month resolves vulnerabilities in Microsoft Edge. One interesting note here is the CVE duplication against other vulnerabilities. MS16-068 includes vulnerabilities also referenced in MS16-080. While MS16-080 resolves this vulnerability in OS components, this bulletin resolves the vulnerability within Microsoft Edge. CVE-2016-3222 has been publicly disclosed.

MS16-069

Up next, we have the JScript and VBScript update that we’ve all come to expect. This bulletin has some overlap with the Internet Explorer bulletin. Specifically, MS16-069 applies to systems still running IE 7 and earlier that have the vulnerable versions of JScript and VBScript installed. The only supported systems running IE 7 are running Windows Embedded Point of Service (WEPOS) based on this document. If you are running IE7 on any other version of Windows, you should consider upgraded ASAP.

MS16-070

This months office update is pretty standard, a lot of the typical software from both the Microsoft Office Suite and Office Web Apps. One interesting addition this month is Office Online Server, the new software that replaces Office Web Apps on modern Microsoft Server platforms.

MS16-071

Looking at the bulletins this month, if reusable exploit code is written for CVE-2016-3227, it could very well be the most critical vulnerability this month. Windows Server 2012 and Server 2012 R2 (as well as the Windows Server Technical Preview 5) with the DNS Server enabled are vulnerable to this exploit, which could result in access to the Local System account.

MS16-072

This bulletin is interesting because it’s a Group Policy man-in-the-middle attack. The issue arises when group policy settings are passed from the domain controller to another system, allowing the group policy update to be manipulated. This vulnerability is mitigated by applying Kerberos authentication to  a number of group policy related calls.

MS16-073

Another monthly staple, MS16-073 resolves issues in the Kernel-Mode Driver that could lead to an elevation of privilege.

MS16-074

MS16-074 resolves issues with Microsoft graphics, particularly Windows Graphics Component (GDI32) but this bulletin also contains updates for Win32k.sys (also patched in the above MS16-073) and ATMFD.dll, the Adobe Type Manager Font Driver, which we frequently see updated.

MS16-075

The first of two bulletins to use security update 3161561, this bulletin references a publicly disclosed vulnerability in Windows SMB Server that allows an authenticated attacker to forward authentication requests from one server to another, allowing for an elevation of privilege. CVE-2016-3225 has been publicly disclosed.

MS16-076

This is the second bulletin resolved by security update 3161561 and could allow an authenticated attacker to execute code on a domain controller.

MS16-077

This is not the first time we’ve seen WPAD referenced with regard to a flaw that could allow an attacker to man-in-the-middle network traffic. This bulletin calls out two vulnerabilities, one that involves responding to NetBIOS requests for WPAD and one that involves WPAD querying out to the internet for proxy configurations. This second vulnerability appears to be related to a recently released US-CERT alert (TA16-144A). The issue involves the recently expanded list of gTLDs that often mimic the namespace used for individual and enterprise internal networks. Interestingly, Microsoft does not recommend disabling automatic proxy configuration (as has been recommended in the past) but instead recommends using an IP black hole and setting wpad to the address 255.255.255.255 via the hosts file. CVE-2016-3236 has been publicly disclosed.

MS16-078

MS16-078 affects the Windows Diagnostic Hub in Windows 10 and Server Technical Preview 5. Due to improper input sanitization, an authenticated attacker could exploit this flaw to elevate their privileges.

MS16-079

MS16-079 is the bulletin that was released last month as MS16-063 and then quickly pulled. It references a single vulnerability in Microsoft Exchange and three vulnerabilities in the Oracle Outside In libraries that were patched by Oracle back in January. Even though this was briefly online last month, Microsoft still lists this as version 1.0 of the bulletin with an initial publish date of June 14th. It would be interesting to know exactly why this was pulled.

MS16-080

As mentioned in MS16-068, this update addresses some of the same vulnerabilities as the Microsoft Edge cumulative update in various Windows OS components.

MS16-081

The penultimate update this month resolves a denial of service affecting Active Directory, where an authenticated attacker could DoS Active Directory by creating multiple machine accounts.

MS16-082

The final update this month resolves a denial of service vulnerability affecting the Windows Search Component. An attacker would require access to the system and could reduce server performance. CVE-2016-3230 has been publicly disclosed.

Additional Details

Adobe has released APSA16-03, to announce the pending release of an update for Adobe Flash. The update will include a fix for the publicly exploited CVE-2016-4171 and could be released as early as Thursday, June 16th. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!