Image

EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE
Automated Exploit |
|||||||
Easy |
|||||||
Moderate |
|||||||
Difficult |
|||||||
Extremely Difficult |
|||||||
No Known Exploit |
MS16-100MS16-103 |
|
MS16-095MS16-096MS16-097MS16-099MS16-102 |
|
MS16-101 |
MS16-098 |
|
Exposure |
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |
MS16-095 | Cumulative Security Update for Internet Explorer | KB3177356 |
MS16-096 | Cumulative Security Update for Microsoft Edge | KB3177358 |
MS16-097 | Security Update for Microsoft Graphics Components | KB3177393 |
MS16-098 | Security Update for Windows Kernel-Mode Drivers | KB3178466 |
MS16-099 | Security Update for Microsoft Office | KB3177451 |
MS16-100 | Security Update for Secure Boot | KB3179577 |
MS16-101 | Security Update for Windows Authentication Methods | KB3178465 |
MS16-102 | Security Update for Microsoft Windows PDF Library | KB3182248 |
MS16-103 | Security Update for ActiveSyncProvider | KB3182332 |
MS16-095
As with all Patch Tuesday’s, the first bulletin released this month belongs to Internet Explorer. While a few of the CVEs are unique to Internet Explorer, IE and Edge share the bulk of the CVEs. One of the more interesting notes about this bulletin is a mitigation, which reads: “For CVE-2016-3321 only: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.” It is rare to see an Internet Explorer issue limited to such a specific scope.MS16-096
The partner bulletin of MS16-095, this month’s second bulletin is the Microsoft Edge update. As was mentioned above, a number of vulnerabilities exist across both bulletins but they also contain unique vulnerabilities as well. Of the two CVEs not found in MS16-095, one is also included in MS16-102, leaving CVE-2016-3296 as the only unique CVE in this bulletin. This CVE describes a vulnerability in the Chakra JavaScript scripting engine.MS16-097
The next bulletin this month is one of the mega-bulletins that we see from time to time. Instead of covering a single product or product family, this bulletin applies to a wide range of product families. In this case, Microsoft Windows, Office 2007, Office 2010, Skype for Business, and Lync are all patched by this bulletin. There’s an interesting note in the update FAQ for this product:I am running Office 2010, which is listed as affected software. Why am I not being offered the update? The update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present. This means that Microsoft Office 2010 is only vulnerable when installed on an unsupported operating system.