Today’s VERT Alert addresses
10 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-693 on Wednesday, October 12th.
EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE
Automated Exploit |
|
|
|
|
|
|
|
Easy |
|
|
|
|
|
|
|
Moderate |
|
|
|
|
|
|
|
Difficult |
|
|
MS16-118
MS16-119
MS16-120
MS16-121
|
|
|
|
|
Extremely Difficult |
|
|
|
|
|
|
|
No Known Exploit |
MS16-126
|
|
MS16-122
MS16-127
|
|
|
MS16-123
MS16-124
MS16-125
|
|
|
Exposure |
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |
Up first this month, we have the typical Internet Explorer update. We also have a historic bulletin, as MS16-118 will go down in history as the first bulletin to contain a reference to the Monthly Roll-up and Security Only bundles from Microsoft. The bulletin itself is relatively standard without any real surprises. The only real note is that for CVE-2016-3298, both MS16-118 and MS16-126 must be installed on Windows Vista and Server 2008 platforms.
CVE-2016-3298 has been exploited.
The monthly Edge update is a rather typical round up of Edge-related vulnerabilities with the usual select of issues that also impact Internet Explorer. Interestingly, while both browsers are impacted by a publicly exploited vulnerability, they are different vulnerabilities.
CVE-2016-7189 has been exploited.
Up next, we have an exercise in complexity. The Microsoft Graphics Component update fixes vulnerabilities related to TTF, GDI+, and Win32k across a number of products including Windows, .NET, Office, Lync, and Silverlight. The end result is a massive number of available patches and updates.
CVE-2016-3393 has been exploited.
This month’s Office update resolves a single vulnerability impacting all supported versions of Office. Attackers could exploit this vulnerability with a malicious RTF file.
CVE-2016-7193 has been exploited.
MS16-122 resolves a single vulnerability in the Microsoft Video Control. This vulnerability can be exploited via the Preview Pane, which is why it has been identified critical.
Up next, we have a security update for Windows Kernel-Mode drivers. This is a great bulletin to demonstrate the intended benefit of the new Monthly Roll-up from Microsoft. You can see that multiple patches are required for Windows Vista and Server 2008, while newer platforms offer two choices, monthly roll-up or security only update.
The MS16-124 bulletin fixes a number of issues with the Windows Kernel API and Windows Registry that allow authenticated users to gain access to information that should be restricted.
A single vulnerability in the Windows Diagnostics Hub that could allow privilege elevation on Windows 10 is patched in MS16-125. A custom application could be executed on the host that will incorrectly load malicious libraries, leading to full control of the system.
The penultimate update this month resolves a vulnerability in the Microsoft Internet Messaging API. This is the second updated required along side MS16-118 to resolve CVE-2016-3298 on Windows Vista and Server 2008.
CVE-2016-3298 has been exploited.
The final update this month resolves a number of vulnerabilities in Adobe Flash. The vulnerabilities covered in MS16-127 are also covered by Adobe Security Bulletin
APSB16-32.
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.