Image
EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE
|
Automated Exploit |
|||||||
|
Easy |
|||||||
|
Moderate |
|||||||
|
Difficult |
|||||||
|
Extremely Difficult |
|||||||
|
No Known Exploit |
MS16-100MS16-103 |
|
MS16-095MS16-096MS16-097MS16-099MS16-102 |
|
MS16-101 |
MS16-098 |
|
|
Exposure |
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |
| MS16-095 | Cumulative Security Update for Internet Explorer | KB3177356 |
| MS16-096 | Cumulative Security Update for Microsoft Edge | KB3177358 |
| MS16-097 | Security Update for Microsoft Graphics Components | KB3177393 |
| MS16-098 | Security Update for Windows Kernel-Mode Drivers | KB3178466 |
| MS16-099 | Security Update for Microsoft Office | KB3177451 |
| MS16-100 | Security Update for Secure Boot | KB3179577 |
| MS16-101 | Security Update for Windows Authentication Methods | KB3178465 |
| MS16-102 | Security Update for Microsoft Windows PDF Library | KB3182248 |
| MS16-103 | Security Update for ActiveSyncProvider | KB3182332 |
MS16-095
As with all Patch Tuesday’s, the first bulletin released this month belongs to Internet Explorer. While a few of the CVEs are unique to Internet Explorer, IE and Edge share the bulk of the CVEs. One of the more interesting notes about this bulletin is a mitigation, which reads: “For CVE-2016-3321 only: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.” It is rare to see an Internet Explorer issue limited to such a specific scope.MS16-096
The partner bulletin of MS16-095, this month’s second bulletin is the Microsoft Edge update. As was mentioned above, a number of vulnerabilities exist across both bulletins but they also contain unique vulnerabilities as well. Of the two CVEs not found in MS16-095, one is also included in MS16-102, leaving CVE-2016-3296 as the only unique CVE in this bulletin. This CVE describes a vulnerability in the Chakra JavaScript scripting engine.MS16-097
The next bulletin this month is one of the mega-bulletins that we see from time to time. Instead of covering a single product or product family, this bulletin applies to a wide range of product families. In this case, Microsoft Windows, Office 2007, Office 2010, Skype for Business, and Lync are all patched by this bulletin. There’s an interesting note in the update FAQ for this product:I am running Office 2010, which is listed as affected software. Why am I not being offered the update? The update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present. This means that Microsoft Office 2010 is only vulnerable when installed on an unsupported operating system.
MS16-098
Up next, we have a staple in the monthly patch bundle, an update to Windows Kernel-Mode Drivers, specifically Win32k. This bulletin resolves four privilege escalation vulnerabilities.MS16-099
This month’s Microsoft Office bulletin resolves flaws across all supported versions of Microsoft Word, Office, and OneNote. One important note about this bulletin is that CVE-2016-3316 has been marked critical because it can be exploited via the Preview Pane. For this reason, it is important to make this update a priority.MS16-100
The 100th bulletin of the year resolves a vulnerability in Windows Secure Boot that could allow an attacker to bypass Integrity Validation for BitLocker and Device Encryption as well as bypass higher level protection mechanisms. This could allow attackers to disable integrity checks, and load test-signed executable and drivers.MS16-101
Up next, we have two vulnerabilities related to Windows authentication. The first fixes insecure Netlogon communication with domain controllers while the second prevents Kerberos authentication from falling back to NTLM during failed password change attempts.MS16-102
The penultimate update this month resolves a vulnerability in the Microsoft PDF library. This CVE was also referenced in the Microsoft Edge cumulative update.MS16-103
The final bulletin this month is a Windows 10 fix for a vulnerability in ActiveSyncProvider that makes it possible for Universal Outlook to disclose user credentials by failing to properly establish secure communication with the target server.Additional Details
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
