. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-675 on Wednesday, June 15th.
This is the second month that we see MS16-063 listed in the VERT Alert. Last month, this bulletin referenced the Microsoft Exchange update but was pulled a few moments after it’s release and replaced with the text ‘Content Placeholder’. Although Exchange has been released this month, you’ll find it further down the list as this bulletin now describes a security update for Internet Explorer. One interesting note regarding this bulletin is CVE-2016-3213, which is referenced in both MS16-063 and MS16-077. Both updates must be applied to fully resolve this vulnerability, so Tripwire IP360 will perform that detection in a single vulnerability related to MS16-077.
The second bulletin this month resolves vulnerabilities in Microsoft Edge. One interesting note here is the CVE duplication against other vulnerabilities. MS16-068 includes vulnerabilities also referenced in MS16-080. While MS16-080 resolves this vulnerability in OS components, this bulletin resolves the vulnerability within Microsoft Edge.
CVE-2016-3222 has been publicly disclosed.
Up next, we have the JScript and VBScript update that we’ve all come to expect. This bulletin has some overlap with the Internet Explorer bulletin. Specifically, MS16-069 applies to systems still running IE 7 and earlier that have the vulnerable versions of JScript and VBScript installed. The only supported systems running IE 7 are running Windows Embedded Point of Service (WEPOS) based on this document
. If you are running IE7 on any other version of Windows, you should consider upgraded ASAP.
This months office update is pretty standard, a lot of the typical software from both the Microsoft Office Suite and Office Web Apps. One interesting addition this month is Office Online Server, the new software that replaces Office Web Apps on modern Microsoft Server platforms.
Looking at the bulletins this month, if reusable exploit code is written for CVE-2016-3227, it could very well be the most critical vulnerability this month. Windows Server 2012 and Server 2012 R2 (as well as the Windows Server Technical Preview 5) with the DNS Server enabled are vulnerable to this exploit, which could result in access to the Local System account.
This bulletin is interesting because it’s a Group Policy man-in-the-middle attack. The issue arises when group policy settings are passed from the domain controller to another system, allowing the group policy update to be manipulated. This vulnerability is mitigated by applying Kerberos authentication to a number of group policy related calls.
Another monthly staple, MS16-073 resolves issues in the Kernel-Mode Driver that could lead to an elevation of privilege.
MS16-074 resolves issues with Microsoft graphics, particularly Windows Graphics Component (GDI32) but this bulletin also contains updates for Win32k.sys (also patched in the above MS16-073) and ATMFD.dll, the Adobe Type Manager Font Driver, which we frequently see updated.
The first of two bulletins to use security update 3161561, this bulletin references a publicly disclosed vulnerability in Windows SMB Server that allows an authenticated attacker to forward authentication requests from one server to another, allowing for an elevation of privilege.
CVE-2016-3225 has been publicly disclosed.
This is the second bulletin resolved by security update 3161561 and could allow an authenticated attacker to execute code on a domain controller.
This is not the first time we’ve seen WPAD referenced with regard to a flaw that could allow an attacker to man-in-the-middle network traffic. This bulletin calls out two vulnerabilities, one that involves responding to NetBIOS requests for WPAD and one that involves WPAD querying out to the internet for proxy configurations. This second vulnerability appears to be related to a recently released US-CERT alert (TA16-144A
). The issue involves the recently expanded list of gTLDs that often mimic the namespace used for individual and enterprise internal networks. Interestingly, Microsoft does not recommend disabling automatic proxy configuration (as has been recommended in the past) but instead recommends using an IP black hole and setting wpad to the address 255.255.255.255 via the hosts file.
CVE-2016-3236 has been publicly disclosed.
MS16-078 affects the Windows Diagnostic Hub in Windows 10 and Server Technical Preview 5. Due to improper input sanitization, an authenticated attacker could exploit this flaw to elevate their privileges.
MS16-079 is the bulletin that was released last month as MS16-063 and then quickly pulled. It references a single vulnerability in Microsoft Exchange and three vulnerabilities in the Oracle Outside In libraries that were patched by Oracle back in January. Even though this was briefly online last month, Microsoft still lists this as version 1.0 of the bulletin with an initial publish date of June 14th
. It would be interesting to know exactly why this was pulled.
As mentioned in MS16-068, this update addresses some of the same vulnerabilities as the Microsoft Edge cumulative update in various Windows OS components.
The penultimate update this month resolves a denial of service affecting Active Directory, where an authenticated attacker could DoS Active Directory by creating multiple machine accounts.
The final update this month resolves a denial of service vulnerability affecting the Windows Search Component. An attacker would require access to the system and could reduce server performance.
CVE-2016-3230 has been publicly disclosed.
Adobe has released APSA16-03
, to announce the pending release of an update for Adobe Flash. The update will include a fix for the publicly exploited CVE-2016-4171 and could be released as early as Thursday, June 16th
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.