Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-684 on Wednesday, August 10th.

EASE OF USE (PUBLISHED EXPLOITS) TO RISK TABLE

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS16-100
MS16-103
 
MS16-095
MS16-096
MS16-097
MS16-099
MS16-102
 
 MS16-101
MS16-098
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-095 Cumulative Security Update for Internet Explorer KB3177356
MS16-096 Cumulative Security Update for Microsoft Edge KB3177358
MS16-097 Security Update for Microsoft Graphics Components KB3177393
MS16-098 Security Update for Windows Kernel-Mode Drivers KB3178466
MS16-099 Security Update for Microsoft Office KB3177451
MS16-100 Security Update for Secure Boot KB3179577
MS16-101 Security Update for Windows Authentication Methods KB3178465
MS16-102 Security Update for Microsoft Windows PDF Library KB3182248
MS16-103 Security Update for ActiveSyncProvider KB3182332

 

MS16-095

As with all Patch Tuesday’s, the first bulletin released this month belongs to Internet Explorer. While a few of the CVEs are unique to Internet Explorer, IE and Edge share the bulk of the CVEs. One of the more interesting notes about this bulletin is a mitigation, which reads: “For CVE-2016-3321 only: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.” It is rare to see an Internet Explorer issue limited to such a specific scope.

MS16-096

The partner bulletin of MS16-095, this month’s second bulletin is the Microsoft Edge update. As was mentioned above, a number of vulnerabilities exist across both bulletins but they also contain unique vulnerabilities as well. Of the two CVEs not found in MS16-095, one is also included in MS16-102, leaving CVE-2016-3296 as the only unique CVE in this bulletin. This CVE describes a vulnerability in the Chakra JavaScript scripting engine.

MS16-097

The next bulletin this month is one of the mega-bulletins that we see from time to time. Instead of covering a single product or product family, this bulletin applies to a wide range of product families. In this case, Microsoft Windows, Office 2007, Office 2010, Skype for Business, and Lync are all patched by this bulletin. There’s an interesting note in the update FAQ for this product:

I am running Office 2010, which is listed as affected software. Why am I not being offered the update? 

The update is not applicable to Office 2010 on Windows Vista and later versions of Windows because the vulnerable code is not present. 

This means that Microsoft Office 2010 is only vulnerable when installed on an unsupported operating system.

MS16-098

Up next, we have a staple in the monthly patch bundle, an update to Windows Kernel-Mode Drivers, specifically Win32k. This bulletin resolves four privilege escalation vulnerabilities.

MS16-099

This month’s Microsoft Office bulletin resolves flaws across all supported versions of Microsoft Word, Office, and OneNote. One important note about this bulletin is that CVE-2016-3316 has been marked critical because it can be exploited via the Preview Pane. For this reason, it is important to make this update a priority.

MS16-100

The 100th bulletin of the year resolves a vulnerability in Windows Secure Boot that could allow an attacker to bypass Integrity Validation for BitLocker and Device Encryption as well as bypass higher level protection mechanisms. This could allow attackers to disable integrity checks, and load test-signed executable and drivers.

MS16-101

Up next, we have two vulnerabilities related to Windows authentication. The first fixes insecure Netlogon communication with domain controllers while the second prevents Kerberos authentication from falling back to NTLM during failed password change attempts.

MS16-102

The penultimate update this month resolves a vulnerability in the Microsoft PDF library. This CVE was also referenced in the Microsoft Edge cumulative update.

MS16-103

The final bulletin this month is a Windows 10 fix for a vulnerability in ActiveSyncProvider that makes it possible for Universal Outlook to disclose user credentials by failing to properly establish secure communication with the target server.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.