Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-689 on Wednesday, September 14th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS16-113
MS16-115
MS16-104
MS16-105
MS16-107
MS16-111
MS16-112
MS16-114
MS16-116
MS16-117
MS16-108
MS16-106
MS16-110
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-104 Cumulative Security Update for Internet Explorer KB3183038
MS16-105 Cumulative Security Update for Microsoft Edge KB3183043
MS16-106 Security Update for Microsoft Graphics Component KB3185848
MS16-107 Security Update for Microsoft Office KB3185852
MS16-108 Security Update for Microsoft Exchange Server KB3185883
MS16-109 Security Update for Silverlight KB3182373
MS16-110 Security Update for Microsoft Windows KB3178467
MS16-111 Security Update for Windows Kernel KB3186973
MS16-112 Security Update for Windows Lock Screen KB3178469
MS16-113 Security Update for Windows Secure Kernel Mode KB3185876
MS16-114 Security Update for Windows SMBv1 Server KB3185879
MS16-115 Security Update for Microsoft Windows PDF Library KB3188733
MS16-116 Security Update in OLE Automation for VBScript Scripting Engine KB3188724
MS16-117 Security Update for Adobe Flash Player KB3188128

 

MS16-104

This month’s Patch Tuesday starts like most others, with an Internet Explorer update which addresses issues related to IE’s handling of zone and integrity settings, cross-origin content, objects in memory, and .URL files. Keep in mind this month that CVE-2016-3375 is not fully resolved until both IE update 3185319 and OLE Automation update 3184122 (MS16-116).  Additionally, it’s good to offer a reminder that at the start of the year, Microsoft declared a number of IE products end-of-life. If you’re still running one of these EOL browsers, do not take this bulletin to mean you aren’t vulnerable. Microsoft only lists supported software in the affected software list.

CVE-2016-3351 has been exploited.

MS16-105

As is often the case, this month’s Microsoft Edge bulletin shares quite a bit of overlap with the Internet Explorer bulletin. Additionally, vulnerabilities in the Chakra JavaScript engine and an ASLR bypass are resolved with this update.

MS16-106

This bulletin resolves a variety of vulnerabilities affecting Win32k and GDI including code execution, privilege escalation, and information disclosure. One of the more interesting takeaways from this bulletin is that the critical code execution vulnerability only affects the latest release of Windows 10 (build 1607).

MS16-107

This month’s Microsoft Office update addresses a massive list of affected software covering both Microsoft Office suites and standalone products, various Office Viewers, SharePoint, Office Web Apps, and Office Online Server. One of the more interesting vulnerabilities in this bulletin is CVE-2016-3366, which addresses a vulnerability in Microsoft Outlook. Specifically, Microsoft Outlook does not adhere to RFC2046, MIME Part Two: Media Types, which may lead to mail bypassing antivirus and antispam solutions.

MS16-108

In addition to the three Microsoft Exchange specific vulnerabilities addressed by this bulletin, 18 CVEs from the Oracle July 2016 CPU related to the Oracle Outside In libraries are addressed.

MS16-109

Up next, we have a single vulnerability in Microsoft Silverlight, which was resolved by changing how Silverlight allocates memory when inserting and appending strings in StringBuilder.

MS16-110

MS16-110 resolves a number of Windows specific vulnerabilities, the most interesting of which is CVE-2016-3352. This information disclosure vulnerability could allow Windows account credentials to be leaked as NTLM password hashes by forcing a user to visit a malicious website or SMB server. The patch changes the situations in which NTLM SSO authentication can be sent to non-private services.

CVE-2016-3352 has been publicly disclosed.

MS16-111

This bulletin resolves a number of privilege escalation vulnerabilities in the Windows kernel.

MS16-112

This bulletin resolves a single privilege escalation in the Windows Lock Screen. In order to exploit this vulnerability, an attacker must have physical access to the computer and must connect to malicious hotspot.

MS16-113

MS16-113 resolves a single Windows Secure Kernel Mode information disclosure vulnerability that only affects Windows 10.

MS16-114

One of the more interesting vulnerabilities this month, MS16-114 describes a single vulnerability that could lead to code execution against servers running SMBv1. An attacker must be able to authenticate to the host and open files in order to successful explain the system. In addition to the patch, Microsoft has released steps on turning off SMBv1 for systems that cannot be immediately patched.

MS16-115

This bulletin resolves two information disclosure vulnerabilities in the Microsoft PDF Library, which has been showing up quite regularly since its release. If the two CVEs mentioned here look familiar, it’s because they were also referenced in the Microsoft Edge bulletin (MS16-105).

MS16-116

The penultimate update this month addresses a single vulnerability that exists in the interaction between the OLE Automation mechanism and the VB Script Scripting engine in IE. This is the same vulnerability found in MS16-104 and both updates must be installed to fully remediate the vulnerability.

MS16-117

The final bulletin this month is the Adobe Flash Player bulletin, which echoes the vulnerabilities found in APSB16-29. Remember that you may need to install both the Microsoft and Adobe updates, depending on the software installed on your system.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.