Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-698 on Wednesday, November 9th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
 
 
 
MS16-132
MS16-135
Easy
 
 
 
 
Moderate
 
 
 
 
Difficult
 
 
 
 
Extremely Difficult
MS16-129
MS16-142
 
 
 
No Known Exploit
MS16-131
MS16-133
MS16-138
MS16-140
MS16-141
 
 
MS16-130
MS16-134
MS16-136
MS16-137
MS16-139
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

 

MS16-129

Cumulative Security Update for Microsoft Edge KB3199057

MS16-130

Security Update for Microsoft Windows KB3199172

MS16-131

Security Update for Microsoft Video Control KB3199151

MS16-132

Security Update for Microsoft Graphics Component KB3199120

MS16-133

Security Update for Microsoft Office KB3199168

MS16-134

Security Update for Common Log File System Driver KB3193706

MS16-135

Security Update for Windows Kernel-Mode Drivers KB3199135

MS16-136

Security Update for SQL Server KB3199641

MS16-137

Security Update for Windows Authentication Methods KB3199173

MS16-138

Security Update for Microsoft Virtual Hard Disk Driver KB3199647

MS16-139

Security Update for Windows Kernel KB3185879

MS16-140

Security Update for Boot Manager KB3193479

MS16-141

Security Update for Adobe Flash Player KB3202790

MS16-142

Cumulative Security Update for Internet Explorer KB3198467

MS16-129

Unlike every other month, this month’s bulletin list starts with the cumulative update for Microsoft Edge. The traditional first bulletin, Internet Explorer, comes last this month, possibly due to the Flash Out-of-Band released in late October causing a shift in bulletin IDs. This bulletin contains a number of CVEs shared with Internet Explorer’s MS16-142, a number of scripting engine updates, and a pair of Edge-only vulnerabilities, one of which is related to the parsing of HTTP responses.

CVE-2016-7209 was publicly disclosed.

CVE-2016-7199 was publicly disclosed.

MS16-130

The second bulletin this month fixes three unassociated vulnerabilities in Microsoft Windows. This incudes a potential drive-by attack vector in image parsing and a pair of privilege escalation vulnerabilities in the Windows Input Method Editor and Task Scheduler. The Task Scheduler change requires hardened UNC paths be used for scheduled tasks, which means that existing scheduled tasks should be reviewed after applying the patch for any potential errors.

MS16-131

Up next, we have a single vulnerability in the Microsoft Video Control, which could allow code execution via a malicious file. One of the more important notes here is that the Outlook Preview Pane is also affected increasing the risk for this vulnerability.

MS16-132

MS16-132 contains fixes for 4 vulnerabilities affecting Microsoft Graphics Components. In addition to information disclosure and code execution in the context of the user, this bulletin resolves two vulnerabilities that could lead full control of the affected system.

CVE-2016-7256 has been exploited.

MS16-133

This month’s Office bulletin resolves vulnerabilities affecting Microsoft Word, Excel, and PowerPoint, as well as, vulnerabilities in Excel and Word services on SharePoint and Office Web Apps Server. The bulk of the vulnerabilities here will lead to code execution in the context of the current user, however there’s also information disclosure and denial of service vulnerabilities in the list.

MS16-134

With MS16-134, we have a number of privilege escalation vulnerabilities affecting the Windows Common Log File System (CLFS) drivers. CLFS provides user-mode logging services via the Windows SDK and kernel-mode logging services via a driver; this vulnerability affects the kernel-mode logging services meaning successful exploitation of these vulnerabilities could allow attackers to run code in a higher context.

MS16-135

The Windows Kernel-Mode Drivers update has been a frequently seen bulletin for the past few years and we see it again this month, with 5 vulnerabilities resolved by this bulletin, two information disclosure issues and three privilege escalations. According to Microsoft, CVE-2016-7255, which was exploited in the wild, was mitigated for users running the Windows 10 Anniversary Update.

CVE-2016-7255 has been publicly disclosed and exploited.

MS16-136

One of the more complex releases this month is the SQL Server update. The bulletin contains a table directing you to the correct update based on your running SQL Server version. Ensure that you double-check that you have the correct update, as there are four updates that apply to SQL Server 2012, four for SQL Server 2014, and two for SQL Server 2016. These vulnerabilities impact the SQL Server database engine, MDS API, SQL Analysis Services, and the SQL Server agent. This bulletin also represents the first time we’ve seen a bulletin numbered 136 and solidifies 2016 as the year with the most published Microsoft Security Bulletins.

MS16-137

Up next, we have the Windows Authentication methods bulletin, which resolves vulnerabilities in the Windows NTLM password change cache, LSASS, and the Windows Virtual Secure Mode. Interestingly the Windows 10 release only affects the release version of Windows 10 and not the 1511 or 1607 updates.

MS16-138

Multiple Windows Virtual Hard Disk Driver vulnerabilities are resolved by MS16-138, which could allow an attacker to manipulate files that they should not be able to access.

MS16-139

MS16-139 resolves a single Windows Kernel vulnerability that affects Windows Vista, 7, Server 2008, and Server 2008 R2.

MS16-140

This is one of the more interesting bulletins this month, with a firmware update to protect against a Windows Secure Boot bypass. It is interesting to note that this vulnerability is resolved by revoking boot policies in the firmware but those policies may vary depending on the platform. There are two levels of protection, ‘baseline’ and ‘enhanced’. Systems that only obtain baseline protection should consult their OEM to see if additional firmware updates are available.

MS16-141

The penultimate update this month is Adobe Flash update. While normally the last update, the shifting of IE to the last bulletin has moved this one to second last. This bulletin addresses the vulnerabilities resolved by APSB16-37.

MS16-142

The final bulletin this month resolves a number of Internet Explorer vulnerabilities including many of the same CVEs we saw referenced in our first bulletin, MS16-129. In addition to those fixes, a fix for the XSS Filter regular expression handler has been included.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.