VERT Threat Alert: August 2016 Patch Tuesday Analysis

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-684 on Wednesday, August 10th.

EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit	MS16-100 MS16-103		MS16-095 MS16-096 MS16-097 MS16-099 MS16-102		MS16-101	MS16-098
	Exposure	Local Availability	Local Access	Remote Availability	Remote Access	Local Privileged	Remote Privileged

 

MS16-095	Cumulative Security Update for Internet Explorer	KB3177356
MS16-096	Cumulative Security Update for Microsoft Edge	KB3177358
MS16-097	Security Update for Microsoft Graphics Components	KB3177393
MS16-098	Security Update for Windows Kernel-Mode Drivers	KB3178466
MS16-099	Security Update for Microsoft Office	KB3177451
MS16-100	Security Update for Secure Boot	KB3179577
MS16-101	Security Update for Windows Authentication Methods	KB3178465
MS16-102	Security Update for Microsoft Windows PDF Library	KB3182248
MS16-103	Security Update for ActiveSyncProvider	KB3182332

 

MS16-095

As with all Patch Tuesday’s, the first bulletin released this month belongs to Internet Explorer. While a few of the CVEs are unique to Internet Explorer, IE and Edge share the bulk of the CVEs. One of the more interesting notes about this bulletin is a mitigation, which reads: “For CVE-2016-3321 only: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.” It is rare to see an Internet Explorer issue limited to such a specific scope.

MS16-096

The partner bulletin of MS16-095, this month’s second bulletin is the Microsoft Edge update. As was mentioned above, a number of vulnerabilities exist across both bulletins but they also contain unique vulnerabilities as well. Of the two CVEs not found in MS16-095, one is also included in MS16-102, leaving CVE-2016-3296 as the only unique CVE in this bulletin. This CVE describes a vulnerability in the Chakra JavaScript scripting engine.

MS16-097

The next bulletin this month is one of the mega-bulletins that we see from time to time. Instead of covering a single product or product family, this bulletin applies to a wide range of product families. In this case, Microsoft Windows, Office 2007, Office 2010, Skype for Business, and Lync are all patched by this bulletin. There’s an interesting note in the update FAQ for this product:

I am running Office 2010, which is listed as affected software. Why am I not being offered the update?  The update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present.  This means that Microsoft Office 2010 is only vulnerable when installed on an unsupported operating system.

MS16-098

Up next, we have a staple in the monthly patch bundle, an update to Windows Kernel-Mode Drivers, specifically Win32k. This bulletin resolves four privilege escalation vulnerabilities.

MS16-099

This month’s Microsoft Office bulletin resolves flaws across all supported versions of Microsoft Word, Office, and OneNote. One important note about this bulletin is that CVE-2016-3316 has been marked critical because it can be exploited via the Preview Pane. For this reason, it is important to make this update a priority.

MS16-100

The 100^th bulletin of the year resolves a vulnerability in Windows Secure Boot that could allow an attacker to bypass Integrity Validation for BitLocker and Device Encryption as well as bypass higher level protection mechanisms. This could allow attackers to disable integrity checks, and load test-signed executable and drivers.

MS16-101

Up next, we have two vulnerabilities related to Windows authentication. The first fixes insecure Netlogon communication with domain controllers while the second prevents Kerberos authentication from falling back to NTLM during failed password change attempts.

MS16-102

The penultimate update this month resolves a vulnerability in the Microsoft PDF library. This CVE was also referenced in the Microsoft Edge cumulative update.

MS16-103

The final bulletin this month is a Windows 10 fix for a vulnerability in ActiveSyncProvider that makes it possible for Universal Outlook to disclose user credentials by failing to properly establish secure communication with the target server.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.