Tuesday

j003-content-microsoft-patch-tuesday-2016_sqAlong with 14 patches, Microsoft introduced a new Security Update Guide web site, as the new location for information on security vulnerabilities.

This month’s Patch Tuesday was also election day in the U.S. and I imagine for once, IT pros are actually happy to see a big load of security updates released – it’s something to take our mind off the culmination of this contentious campaign season.

Along with the fourteen patches released today, the Microsoft Security Response Center (MSRC) team  published a blog post that introduces the new Security Update Guide web site, which the company sees as the “new single destination for security vulnerability information.”

It’s in preview now, and the Microsoft Security Bulletin site is still operational, so if you’re one of many who don’t like change, you can still access the information in the traditional way – at least for a few months. After January 2017, the information about the security fixes will no longer be published to the Bulletins site; you’ll have to transition to the Update Guide.

The good news is that the new portal does give you far more flexibility. You can filter by release date, KB number, CVE identifier, or product. This is great for those who don’t want to waste time scrolling through information about software and services that they don’t have deployed or don’t use.

This month’s updates include six that are rated critical and eight classified as important. There are updates for both Microsoft web browsers, Adobe Flash, and various components of Windows, as well as one for SQL Server and one for Microsoft Office.

Let’s take a look at each of these updates in a little more detail.

MS16-129 (KB 3199057) This is the usual cumulative update for the Edge browser and applies to Edge on all iterations of Windows 10. It is rated critical for all.

The update addresses seventeen vulnerabilities, including multiple memory corruption issues, information disclosure, and a spoofing vulnerability. Twelve of these could be exploited to accomplish remote code execution.

The update fixes the problems by changing how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory, and correcting how the Microsoft Edge parses HTTP responses.

MS16-130 (KB 3199172) This is an update for all currently supported versions of the Windows client and server operating systems, including the server core installation. It is rated critical for all.

This update addresses three vulnerabilities: two elevation of privilege issues and one remote code execution vulnerability. The update fixes the problems by correcting how the Windows Input Method Editor (IME) loads DLLs and requiring hardened UNC paths be used in scheduled tasks.

MS16-131 (KB 3199151) This is an update for the Microsoft Video Control component in Windows Vista, 7, 8.1, RT 8.1 and 10. It is rated critical for all. It also affects Windows Server 2016 Preview 5.

The update addresses a single vulnerability based on the way the Video Control component handles objects in memory, which can be exploited to accomplish remote code execution. The update fixes the problems by correcting how Microsoft Video Control handles objects in memory.

MS16-132 (KB 3199120) This is an update for the Graphic component in all currently supported versions of Windows client and server operating systems, including the server core installation. It is rated critical for all.

The update addresses four vulnerabilities: an open type font information disclosure issue (for which a workaround is provided in the security bulletin), two memory corruption vulnerabilities – one in Windows Animation Manager and one in Media Foundation – and an open type font remote code execution vulnerability, which also has a workaround. You can find instructions for the workarounds at https://technet.microsoft.com/en-us/library/security/ms16-132.aspx

The update fixes the problems by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

MS16-141 (KB3202790) This is an update for Adobe Flash Player running on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It does not include the server core installation, which doesn’t have a web browser installed by default. It is rated critical for all affected systems.

The update addresses nine vulnerabilities in the Flash Player software, which include type confusion vulnerabilities and use-after-free vulnerabilities, both of which can be exploited to accomplish code execution. The update fixes the problems by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

MS16-142 (KB3198467) This is the usual cumulative update for the Internet Explorer web browser. It is rated Critical for IE 9 and IE 11 on affected Windows clients, and rated Moderate for IE 9, IE 10 and IE 11 on affected Windows server operating systems.

The update addresses seven vulnerabilities, which include four memory corruption issues and three information disclosure vulnerabilities. The most severe of these could be exploited to accomplish remote code execution. The update fixes the problems by correcting how Internet Explorer modifies objects in memory and the way it uses the XSS filter to handle RegEx.

MS16-133 (KB 3199168) This is an update for Microsoft Office that applies to Office 2007, 2010, 2013, 2013 RT, and 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel and PowerPoint Viewers. Also affected are Excel Services and Word Automation Services on SharePoint 2010, Word Automation Services on SharePoint 2013, and Office Web Apps 2010 and 2013. It is rated important for all.

The update addresses twelve vulnerabilities, ten of which are memory corruption issues. The other two are information disclosure and denial of service vulnerabilities. The update fixes the problems by correcting how Microsoft Office initializes variables and how affected versions of Office and Office components handle objects in memory.

MS16-134 (KB3193706) This is an update for the Common Log File System Driver in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses ten vulnerabilities, all of which are elevation of privilege issues. The update fixes the problem by correcting how CLFS handles objects in memory.

MS16-135 (KB3199135) This is an update for the Windows Kernel-mode Drivers in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.

This update addresses five vulnerabilities, which includes two information disclosure issues and three elevation of privilege vulnerabilities. The update fixes the problem by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-136 (KB3199641) This is an update for all currently supported editions of Microsoft SQL Server 2012, 2014 and 2016. It is rated important for all.

The update addresses six vulnerabilities, which includes three SQL RDBMS Engine Elevation of Privilege vulnerabilities, one MDS API XSS vulnerability, and one SQL Analysis Services information disclosure vulnerability, along with one SQL Server agent elevation of privilege vulnerability. The most severe of these vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The update fixes these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

MS16-137 (KB3199173) This is an update for Windows Authentication Methods in all currently supported releases of Windows client and server operating system, including the server core installation. It is rated important for all.

The update addresses three vulnerabilities, which include a Virtual Secure Mode Information Disclosure vulnerability, a Local Security Authority Subsystem Service Denial of Service vulnerability and a Windows NTLM Elevation of Privilege vulnerability.

The update fixes the problems by updating Windows NTLM to harden the password change cache, changing the way that LSASS handles specially crafted requests and correcting how Windows Virtual Secure Mode handles objects in memory.

MS16-138 (KB3199647) This is an update for the Microsoft Virtual Hard Disk Driver in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses four vulnerabilities, all of which are elevation of privilege issues that an attacker could exploit to manipulate files in locations not intended to be available to the user. The update fixes the problem by correcting how the kernel API restricts access to these files.

MS16-139 (KB3199720) This is an update for the Windows kernel in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, including the server core installation. It is rated important for all.

The update addresses a single vulnerability in the way the kernel API enforces permissions, which an attacker could exploit to gain access to information that is not intended for the user, but the attacker would have to be able to locally authenticate. The update fixes the problem by helping to ensure the kernel API correctly enforces access controls.

MS16-140 (KB3193479) This is an update for the Boot Manager in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.

The update addresses a single vulnerability when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. The update fixes the problem by revoking affected boot policies in the firmware.

You can find the full summary of all these updates, with links to each security bulletin, at https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx

If you don’t want to miss out on future information about important Microsoft vulnerabilities and patches, subscribe to our blog and receive regular news updates in your inbox.

You may also like:

  • IT automation comes to the rescue for sysadmins
  • Microsoft Patch Tuesday – October 2016
  • Microsoft Patch Tuesday has changed and now all patches are…


GFI Blog

J003-Content-Microsoft-Patch-Tuesday-Oct2016_SQThis Tuesday’s update addresses 49 vulnerabilities within 10 security bulletins, of which five are rated as critical, and four of them are zero-day flaws.

After the start of the announced changes on the way patches are delivered on Patch Tuesday, which we covered in our yesterday’s blog post, Microsoft has released the security bulletins for October 2016. Among affected products are Edge, Internet Explorer, Office, Windows, Skype for Business, and of course Adobe Flash Player, and most of the critical updates are for Remote Code Execution issues.

MS16-118 (KB 3192887) This is a cumulative security update for Internet Explorer fixing issues which could allow remote code execution if a user views a specially crafted webpage using IE9, 10 or 11, gaining the attacker the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by correcting how Internet Explorer handles objects in memory and namespace boundaries.

MS16-119 (KB 3192890) This is a similar cumulative security update like the previous one, this time for Edge browser, resolving remote code execution issues on Windows 10-based computers using Edge as a primary browser.

The patch modifies how Microsoft Edge and certain functions, like the Chakra JavaScript scripting engine, handle objects in memory, and restricts what information is returned to Microsoft Edge. It also changes the way Microsoft Browsers store credentials in memory and handle namespace boundaries, and corrects how Microsoft Edge Content Security Policy validates documents.

MS16-120 (KB 3192884) Yet another critical fix for remote code execution, but this time for the Microsoft Graphics Component, and it resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.

This update is rated critical for all supported Windows versions, Office 2007 and 2010, Lync/Skype for Business 2010, 2013 and 2016, .NET Framework and Silverlight, and it addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.

Since it affects Windows operating systems since Vista SP2 and Server 2008 SP2 until Windows 10, including Windows RT 8.1, and covers seven vulnerabilities verified by CVE, this patch should not be taken lightly. Also, this is the only zero-day vulnerability on this batch which there were already registered exploits.

MS16-122 (KB 3195360) This vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Of course, if the user is logged on with administrative user rights, an attacker could take control of the affected system.

This security update is rated Critical for Windows Vista, 7, 8.1, RT 8.1, and Windows 10, and it fixes the vulnerability by correcting how Microsoft Video Control handles objects in memory.

MS16-127 (KB 3194343) And, as usual, this Patch Tuesday brought another update for Adobe Flash Player. It updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge, on all supported editions of Windows 8.1, RT 8.1, 10, and on Windows Server 2012 and 2012 R2.

The patch covers a set of 13 CVE vulnerabilities, described in Adobe Security Bulletin APSB16-32, and there are several known workarounds and mitigation actions for these issues. Apart from blocking Adobe Flash Player completely, of course.

MS16-121 (KB 3194063) This update resolves an Office RTF remote code execution vulnerability which exists in Microsoft Office, when the Office software fails to properly handle RTF files. It affects Office 2007, 2010, 2013 (including the RT version), 2016, Office for Mac 2011 and 2016, and some other Office apps and services, such as SharePoint Server 2010 and 2013.

An attacker who would successfully exploit this memory corruption vulnerability could run arbitrary code as the current user, and the update fixes the issue by changing the way Microsoft Office apps handle RTF content.

MS16-123 (KB 3192892) This security update resolves several vulnerabilities in various editions of Microsoft Windows, from Vista to 10 and Servers 2008 and 2012, where the more severe ones could allow elevation of privilege of an attacker.

Microsoft has not identified any mitigating factors or workarounds for these five CVE vulnerabilities, and this security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

MS16-124 (KB 3193227) Like the previous one, this update fixes a vulnerability that allows attackers to perform unauthorized privilege elevation and gain access to registry information, and corrects it by changing the way how the kernel API restricts access to this information.

It applies to variants of Microsoft operating systems from Windows Vista SP2 to Windows 10, and addresses four known CVE vulnerabilities, all marked as important.

MS16-125 (KB 3193229) This security update is rated Important for all supported editions of Windows 10, and resolves a vulnerability which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses this vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

MS16-126 (KB 3196067) The last update in today’s batch is marked as Moderate, and addresses an information disclosure vulnerability, when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploits this vulnerability could test for the presence of files on disk, but for an attack to be successful an attacker must persuade a user to open a malicious website.

The security update affects Windows Vista, 7, Server 2008 and 2008 R2, and is rated moderate on client and low on server operating systems. Also, note that you must install two updates to be protected from this vulnerability: this one, and the update in MS16-118.

You will find more details about all the updates listed above in the Security Bulletin Summary for October 2016.

You may also like:

  • Microsoft Patch Tuesday has changed and now all patches are…
  • Third Party Patch Roundup – September 2016
  • Microsoft Patch Tuesday – September 2016


GFI Blog

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Tuesday, September 20th 2016
Length: 5:39 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Taking Over Facebook Pages
http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/

Exchange Auto-Discovery Vulnerability
http://www.theregister.co.uk/2016/09/19/ms_exchange_alleged_bug/

Spyware Apps Targeting Travelers Removed From Goolge App Store
https://blog.lookout.com/blog/2016/09/16/embassy-spyware-google-play/

Firefox Will Patch HSTS Vulnerability
https://threatpost.com/mozilla-patching-firefox-certificate-pinning-vulnerability/120694/

OpenSSL Patch Pre-Announcement
https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html

Discussion

Login here to join the discussion.


Information Security Podcasts

Here’s an overview of some of last week’s most interesting news and articles:

Five ways to respond to the ransomware threat
While organizations wrestle with the ever-pressing issue of whether to pay or not to pay if they’re victimized, Logicalis US suggests CXOs focus first on how to protect, thwart and recover from a potential attack.

MySQL 0-day could lead to total system compromise
Researcher Dawid Golunski has discovered multiple severe vulnerabilities affecting the popular open source database MySQL and its forks (e.g. MariaDB, Percona). One of these – CVE-2016-6662 – can be exploited by attackers to inject malicious settings into MySQL configuration files or create new ones, allowing them to execute arbitrary code with root privileges when the MySQL service is restarted.

Organization must modify the network access policy to address IoT devices
By 2020, 21 billion of Internet of Things (IoT) devices will be in use worldwide. Of these, close to 6 percent will be in use for industrial IoT applications.

US 911 emergency system can be crippled by a mobile botnet
What would it take for attackers to significantly disrupt the 911 emergency system across the US? According to researchers from Ben-Gurion Univerisity of the Negev’s Cyber-Security Research Center, as little as 200,000 compromised mobile phones located throughout the country.

Microsoft ends Tuesday patches
In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install.

Artificial intelligence in cybersecurity: Snake oil or salvation?
Machine learning is the science of enabling computers to learn and take action without being explicitly programmed. What has this to do with information security? Currently, not that much. But this is set to change.

DDoS and web application attacks keep escalating
Akamai Technologies released its Second Quarter, 2016 State of the Internet / Security Report, which highlights the cloud security landscape, specifically trends with DDoS and web application attacks, as well as malicious traffic from bots.

DDoS downtime calculator based on real-world information
Are you wondering how you can assess the risks associated with a DDoS attack? Incapsula’s free DDoS Downtime Calculator offers case-specific information adjusted to the realities of your organization.

ICS-CERT warns of remotely exploitable power meter flaws
Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.

Improve SecOps by making collaboration easier
Ensuring smooth collaboration and sharing between SOC analysts, incident responders, and endpoint and network administrators has its challenges.

Bogus Pokémon GO guide app roots Android devices
The popularity of Pokémon GO is apparently on the wane, but there are still more than enough players to make it a good lure for cyber crooks. In fact, fake apps like the “Guide For Pokémon Go New” recently spotted on Google Play can end up being downloaded by as many as half a million users.

What proposed Rule 41 changes mean for your privacy
Last week, US Senator Ron Wyden took the floor of the Senate to explain why his (and his colleagues’) Stopping Mass Hacking Act should be voted in.

Android apps based on Adobe AIR SDK send out unencrypted data
Developers using the Adobe AIR SDK should update to the latest version of the software development kit and rebuild the apps as soon as possible if they don’t want their users’ traffic being exposed to attackers.

Hack a Nexus from afar, get $ 200,000
Google has issued a challenge to bug hunters around the world: find a vulnerability or bug chain that achieves remote code execution on multiple Android devices knowing only the devices’ phone number and email address, and you’ll be handsomely rewarded.

Cyberattacks cost SMBs an average of $ 86,500
On average, a single cybersecurity incident now costs large businesses a total of $ 861,000. Meanwhile, SMBs pay an average of $ 86,500.

6.6 million ClixSense users exposed in wake of site, company hack
If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

IoT Village uncovers 47 security vulnerabilities across 23 devices
New dangers in both home security and municipal power facilities were revealed as the results of the 2nd Annual IoT Village, held at DEF CON 24 in Las Vegas. More than 47 new vulnerabilities were discovered across 23 different devices from 21 brand name manufacturers.

Ransomware usage explodes, as app, browser and plug-in vulnerabilities increase
Bromium conducted research on cyber attacks and threats affecting enterprise security over the last six months. The good news is while the number of vulnerabilities is steadily increasing, not all exploitable vulnerabilities are actually exploited. The bad news is, criminals are working harder to get protected data.

Stingray use lacks transparency and meaningful oversight
Cell-site simulators – aka Stingrays, aka IMSI catchers – are widely used by US law enforcement, usually without a warrant that such type of surveillance should require.

PCI Council wants more robust security controls for payment devices
The PCI Council has updated its payment device standard to enable stronger protections for cardholder data, which includes the PIN and the cardholder data (on magnetic stripe or the chip of an EMV card) stored on the card or on a mobile device.

Consumers harassed by 30 million spam calls every day
Consumers are giving up twice as much sensitive data over the previous year.


Help Net Security

Security researcher Kafeine says one of this week's Microsoft patches addresses a vulnerability it knew of since last year, and may only have pulled the patching trigger after a spate of banking trojan attacks.

The attacks utilised the low-level flaw (CVE-2016-3351) for cloaking purposes among an arsenal of exploits.

The earliest attacks using the since-defeated exploit date back to January 2014, and as recently as July when it was stopped by Kafeine and others.

The most recent of the malvertising campaigns, AdGholas, sent up to a million users every day to the local banking trojans.

The bug was first reported last year and only received a CVE from Microsoft in July when Proofpoint and Trend Micro collaborated on research into the AdGholas and GooNky groups.

Attackers deployed the dangerous Nutrino exploit kit before dropping Terdot.A when they detected UK victims, Gozi ISFB for Canadians, DELoader for Australians, and Gootkit for users browsing from Spain.

The commended Proofpoint malware prober says the low-level bugs fixed this week allowed the now dead Angler exploit kit gang, along with current actors AdGholas and GooNky, to reduce the likelihood their "massive, long running" malvertising campaigns would be detected.

Kafeine says it is an example of why patching small bugs is important.

"The bottom line? As much as possible, software vendors need to maintain comprehensive patching regimens, organisations and users must rethink patching prioritisations, and researchers need to look for new avenues to detect malicious activity," Kafeine says.

The flaw allowed attackers to obtain browser fingerprinting information which could help reveal if virtualised systems were used by potential targets.

Malvertising scams are known for profiling victim machines before deploying payloads in a bid to avoid white hats and extend the amount of time attack campaigns can operate undetected.

Kafeine says researchers found attacks using the flaw back in 2014 after "additional archeological work".

"Threat actors are increasingly exploiting non-critical bugs and low-level vulnerabilities that may remain unpatched for months or years at a time,"Kafeine says.

"In this case, the AdGholas group used such a bug specifically to avoid detection by researcher and vendor automated systems and thus stay below the radar even while they conducted a massive, long-running malvertising operation."

The bank trojans were being dropped until Kafeine and fellow researchers reported the attacks to advertising networks whose infrastructure was being abused. ®

Sponsored: Optimizing the hybrid cloud


The Register - Security

The September 2016 Patch Tuesday release from Microsoft includes 14 total bulletins, seven of which were rated critical, but six of those bulletins all highlight issues of browser security in various forms.

For September's Patch Tuesday release, experts said MS16-104 and MS16-105 are standard bulletins for Microsoft's Internet Explorer and Edge browsers, respectively, and should be prioritized because they include patches for remote code execution (RCE) vulnerabilities. But these bulletins do not stand alone because the web browser is a popular attack vector.

Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., noted that MS16-106, for the Microsoft Graphics Component, MS16-109, for Silverlight, and MS16-116, for the VBScript Scripting Engine, each remediate critical RCE flaws that can be exploited by coercing a victim to visit a malicious website. Additionally, MS16-117 contains critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.

Lane Thames, security research and software development engineer at Tripwire, said enterprises should note MS16-116. "The catch here is that the vulnerability, identified by CVE-2016-3375, is not fully resolved until the Internet Explorer security updates in MS16-104 are applied." 

MS16-107 includes critical patches for Microsoft Office and SharePoint to resolve a total of 13 vulnerabilities.

Chris Goettl, product manager with Shavlik, said IT should note this bulletin includes "all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007."

"You may see this show up on machines more than once depending on what products and viewers are on each system," Goettl said. "This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management."

The final critical bulletin for September's Patch Tuesday is MS16-108, which handles vulnerabilities in Microsoft Exchange Server, but the most severe flaw could allow remote code execution in some Oracle Outside libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

However, Goettl said the risk of this vulnerability would be mitigated if an enterprise moved to the cloud.

"At this point, the number of enterprises running Microsoft Exchange on-premises is dwindling as many have moved to Office365.  If you are on Office365,  it's assumed that Microsoft has already rolled this patch out and you can ignore this patch," Goettl said. "If you are still running Exchange on premises, this update should be installed soon. However, after installation, it's worth moving your mail to the cloud."

Thames saw a trend regarding attack vectors and MS16-115, an update to Microsoft's PDF Library.

"PDF has long been a favorite for cyber attackers and criminals. A new trend to notice is Microsoft Window’s PDF library appearing more and more often as a common Patch Tuesday bulletin," Thames said. "Today, Microsoft is releasing MS16-115 as a security update for its PDF Library, which resolves two information disclosure vulnerabilities. This new trend can be seen by the following sequence of bulletins: MS16-012, MS16-068, MS16-080, MS16-102, MS16-105, and MS16-115. This is a collection of security bulletins introduced this year for various vulnerabilities related to PDF in Windows. Administrators should ensure that critical systems, such as servers or other machines that contain sensitive data, do not have these components installed if it is not needed."

Rounding out the rest of the September Patch Tuesday are important bulletins MS16-110 and MS16-114, which fix RCE flaws in Windows and SMBv1 Server; MS16-111 and MS16-112, which resolve elevation of privilege vulnerabilities in the Windows Kernel and Windows Lock Screen; and, MS16-113, which handles an information disclosure issue in the Windows Secure Kernel.

Overall, Craig Young, cybersecurity researcher for Tripwire, said he noticed a positive trend in Microsoft's security bulletins.

"This month Microsoft has indicated that there are only nine vulnerabilities rated as 'exploitation likely' which can result in code execution with all but two of these CVEs existing within browser code. As a point of comparison, there has been a general gradual decline in the number of easily exploited Microsoft bugs over time and even just looking at the past three months, the bulletins averaged having twice as many easily exploited vulnerabilities," Young said. "This trend is even more interesting if we look back at the September 2015 bulletin when there were roughly three times as many vulnerabilities with the 'exploitation likely' rating."

Next Steps

Catch up on the August 2016 Patch Tuesday news.

Learn more about the advantages, disadvantages and surprises of Office 365.

Find out how to spot and prevent emerging PDF attacks.


SearchSecurity: Security Wire Daily News

J003-Content-Microsoft-Patch-Tuesday-Sept2016_SQIt’s September and business for sysadmins is back to normal, so we got a brand new batch of seven critical and seven important updates.

Am I the only one who’s amazed that September has rolled back around already? For me, it means I get to celebrate (or lament) getting another year older. For others, it means the end of summer, the beginning of the school year, cooler weather (a welcome relief here in Texas), falling leaves, and the start of preparations for the impending holiday season.

For IT pros, it means business as usual. Rain or shine, hot or cold, work day or weekend, in sickness and in health, our users keep on using and our servers have to keep on serving. And keeping them up and running and safe from attack and infiltration, updates are inevitable and never-ending.

This month, Microsoft ushers in the season with fourteen patches for Windows, Edge, IE, Office, Exchange and Adobe Flash Player. Seven are critical; the other half are rated important. The usual suspects make their appearances: memory corruption/remote code execution vulnerabilities, elevation of privilege issues, security feature bypasses, and information disclosure issues.

Let’s take a look at each of these updates in a little more detail, and you can find the full summary with links to each security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-sep.aspx

MS16-104 (KB 3183038) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn’t apply to server core installations that don’t run a web browser.

The update addresses ten separate vulnerabilities, which include memory corruption, elevation of privilege and information disclosure issues as well as security bypass. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Internet Explorer and certain functions handle objects in memory, zone and integrity settings, cross-origin settings and URL files.

MS16-105 (KB 3183043) This is the usual monthly cumulative update for the Edge web browser that applies to Windows 10, and it is rated critical.

The update addresses twelve separate vulnerabilities, which include memory corruption and information disclosure issues. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way both Edge itself and the Chakra JavaScript scripting engine handle objects in memory, correcting how Edge handles cross-origin requests, and ensuring that Edge properly implements ASLR and properly validates page content.

MS16-106 (KB 3185848) This is an update for the Microsoft Graphics Component in Windows. It affects all supported versions of Windows client and server, including the server core installation. It is rated critical for Windows 10 version 1607, and important for all other versions of Windows.

The update addresses five vulnerabilities, three of which are elevation of privilege issues, one information disclosure issue, and the most serious a remote code execution vulnerability, all stemming from the way the Windows Graphics Device Interface (GDI) works. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way some of the Windows kernel-mode drivers and the GDI handle objects in memory, and by preventing unintended user-mode elevation of privilege.

MS16-107 (KB 3185852) This is an update for Microsoft Office. It applies to the Office suite and the individual Excel, Outlook and PowerPoint applications in Office 2007, 2010, 2013, 2013 RT, and 2016, and Visio 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel, PowerPoint and Word Viewers. It is rated critical.

The update addresses a total of thirteen vulnerabilities, which include an APP-V ASLR bypass, an information disclosure issue, a spoofing vulnerability and ten memory corruption vulnerabilities. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Office saves documents, how it handles objects in memory, the way Outlook determines the end of MIME messages, and how Click-to-Run components handle memory addresses.

MS16-108 (KB 3185883) This is an update for Microsoft Exchange Server. It applies to Exchange 2007, 2010, 2013 and 2016, and is rated critical for all.

The update addresses three vulnerabilities in Exchange, which include an information disclosure issue, an open redirect vulnerability and an elevation of privilege issue. The update also addresses eighteen vulnerabilities in the Oracle libraries that include remote code execution, information disclosure and denial of service issues. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Exchange OWA validates web requests and by helping ensure that OWA properly sanitizes user input and email content.

MS16-116 (KB 3188724) This is an update for OLE Automation for the VBScripting engine in Windows. It applies to all supported versions of Windows client and Server operating systems, including the server core installations. It is rated critical on client computers and moderate on servers.

The update addresses a single memory corruption vulnerability that could allow an attack to execute arbitrary code in the context of the current user. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way the OLE automation mechanism in Windows and the VBScripting engine in IE handle objects in memory.

MS16-117 (KB 3188128) This is an update for the Adobe Flash Player on Windows. It applies to Windows 8.1/RT 8.1, Windows 10, and Server 2012/2012 R2. It is rated critical for all.

This update addresses a twenty-six separate vulnerabilities in Flash Player that can be exploited through Internet Explorer, embedding an ActiveX control in an Office document or application, or uploading malicious content to a web site that hosts user-provided content or advertising.

The good news is that there are both mitigations and workarounds, for those who are unable to install the update. These are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-117.aspx

MS16-109 (KB 3182373) This is an update for Silverlight and applies to version 5 (including Silverlight 5 Developer Runtime) installed on Windows or Mac computers. This includes all supported versions of Windows. It is rated important for all operating systems.

The update addresses a single memory corruption vulnerability in Silverlight, which could be exploited to accomplish remote code execution. There are no published mitigations or workarounds for this vulnerability.

The update fixes the problem by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder.

MS16-110 (KB 3178467) This is an update for all currently supported versions of the Windows client and server operating system, including the server core installations. It is rated important for all.

The update addresses four separate vulnerabilities, which include an elevation of privilege issue, an information disclosure issue, a denial of service and a remote code execution vulnerability. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by correcting how Windows enforces permissions, preventing NT LAN Manager (NTLM) Single Sign-On (SSO) authentication to non-private SMB resources when users are signed in to Windows via a Microsoft Account (https://www.microsoft.com/account) and connected to a “Guest or public networks” firewall profile, and correcting how Windows handles objects in memory.

MS16-111 (KB 3186973) This is an update for the Windows kernel. It applies to all supported versions of the Windows client and server operating system, including the server core installations. It is rated important for all.

The update addresses five elevation of privilege issues that are due to the way Windows handles session objects, in that a locally authenticated user could hijack the session of another user. To exploit the vulnerabilities, the attacker would have to be able to log on locally with valid credentials. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing how Windows handles session objects, and by correcting how the Windows Kernel API enforces user permissions and restricts access to user information.

MS16-112 (KB 3178469) This is an update for the Windows Lock Screen in Windows 8.1, RT 8.1, Windows 10, and Server 2012 R2 (including the server core installations). It is rated important for all.

The update addresses a single vulnerability that occurs when Windows improperly allows web content to be loaded from the lock screen. This could be exploited to achieve elevation of privilege, but the attacker would have to have physical access to the computer. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the behavior of the Windows lock screen to prevent unintended web content from loading.

MS16-113 (KB 3185876) This is an update for Windows Secure Kernel Mode in Windows 10 and Windows 10 v1511, both the 32- and 64-bit editions. It is rated important.

The update addresses a single information disclosure vulnerability that happens when the Secure Kernel Mode improperly handles objects in memory. The attacker would have to be authenticated locally in order to exploit this vulnerability. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way Windows handles objects in memory.

MS16-114 (KB 3185879) This is an update to the SMBv1 server component Windows client and server operating systems. It applies to all versions, including the server core installation, but affects different versions in different ways. It is rated important for all.

The update addresses a single vulnerability in SMBv1. Later versions of the SMB server are not affected. In Windows Vista, 7, and Server 2008 and 2008 R2, the vulnerability could allow remote code execution. In later versions of Windows, the impact would be limited to a denial of service. There are both mitigating factors and workarounds published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-114.aspx

The update addresses the problem by changing the way the SMBv1 server handles specially crafted requests.

MS16-115 (KB 3188733) This is an update to the Windows PDF library. It applies to Windows 8.1/RT 8.1, Windows 10, and Windows Server 2012 and 2012 R2. It is rated important.

The update addresses a pair of information disclosure vulnerabilities in the PDF library that are due to the way the component handles objects in memory. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problem by changing the way certain functions handle objects in memory.

Found this post useful?
Subscribe to our news feed and make sure you never miss
another useful sysadmin story from GFI Blog.

You may also like:

  • Third Party Patch Roundup – August 2016
  • 10 new Windows 10 features for sysadmins
  • August 2016 – Microsoft Patch Tuesday


GFI Blog

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

IoT Insecurity: Pinpointing the Problems

July 21, 2016 , 7:00 am

VeraCrypt Audit Under Way; Email Mystery Cleared Up

August 16, 2016 , 2:27 pm

New Gmail Alerts Warn of Unauthenticated Senders

August 11, 2016 , 2:10 pm

New Trojan SpyNote Installs Backdoor on Android Devices

July 29, 2016 , 12:21 pm

BASHLITE Family Of Malware Infects 1 Million IoT Devices

August 30, 2016 , 3:29 pm

Judge Rules Use of FBI Malware Is A ‘Search’

September 13, 2016 , 11:18 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm


Threatpost | The first stop for security news

A daily summary of network and system security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
Created: Monday, August 15th 2016
Length: 6:20 minutes

iTunes Download MP3 RSS Feed

To subscribe, use one of the following URLs:
RSS feed: https://isc.sans.edu/dailypodcast.xml (any podcast player should support this in some way)

Keywords: Security Network Technology Windows Linux Apple iOS Android Firewall

Show Notes

Starting October 2016, Microsoft Will Use Montly Rollup Updates for Win 7/8.1
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Updated Group Policies To Block Macros in Office 2013
https://isc.sans.edu/forums/diary/MS+Office+2013+New+Macro+Controls+Sorta/21371/

Bypassing Application Whitelisting using WinDbg
http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html

Bypassing UAC without writing to disk
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Discussion

Login here to join the discussion.


Information Security Podcasts

J003-Content-Microsoft-Patch-Tuesday-Aug2016_SQIt’s been a long, hot summer, and on the security update front, after a couple of months of heavy patch Tuesdays (sixteen each for June and July), we get a little bit of relief this time: Microsoft released only nine patches for August Patch Tuesday. If you’re lucky and all goes well with the installation, perhaps that will mean a little more time for IT pros to relax by the pool this week.

We hit a milestone of sorts this month, with the 100th security update for this year. This time we got the usual cumulative updates for the Internet Explorer and Edge browsers, two updates for Office, and the rest are for Windows. Five of the nine are rated as critical, and all five are remote code execution vulnerability issues, so they should receive the needed care and attention in order to prevent any attacks on your infrastructure.

Let’s take a look at these updates in a little more detail, and you can find the full summary with links to each security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-aug

Critical Updates

MS16-095 (KB 3177356) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn’t apply to server core installations that don’t run a web browser.

The update addresses nine separate vulnerabilities, which include memory corruption and information disclosure issues. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities. The update fixes the problems by changing the way Internet Explorer and certain functions handle objects in memory.

MS16-096 (KB 3177358) This is the usual monthly cumulative update for the Edge web browser that applies to Windows 10. It is rated critical.

The update addresses eight separate vulnerabilities, which include memory corruption and information disclosure issues, and the most serious of these can be exploited to accomplish remote code execution. There is a workaround for one of the vulnerabilities, which requires you to edit the registry, and the instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-096.aspx

The update fixes the problems by changing the way both Edge itself and the Chakra JavaScript scripting engine handle objects in memory.

MS16-097 (KB 3177393) This is an update for the Microsoft Graphics component in Windows, Office, Skype for Business, and Lync. It applies to all supported versions of Windows, both client and server, including the server core installation and Windows Server 2016 Technical Preview 5. It also affects Office 2007 and 2010, and S4B 2016, and Lync 2010 and 2013. It is rated critical for all.

The update addresses three remote code execution vulnerabilities that occur when the Windows font library improperly handles specially crafted embedded fonts. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way the Windows font library handles embedded fonts. Note that there are prerequisites affecting some of the impacted software; see the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-097.aspx

MS16-099 (KB 3177451) This is an update for Microsoft Office that affects Office 2007, 2010, 2013 and 2013 RT, and 2016, as well as Office for Mac 2011 and 2016 and the Word Viewer. It is rated critical on Office for Windows and Important on Office for Mac and Word Viewer.

The update addresses five vulnerabilities, one of which is a OneNote information disclosure issue and the rest are memory corruption vulnerabilities, some of which can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by affected versions of Office and Office components handle objects in memory.

MS16-102 (KB 3182248) This is an update for the Windows PDF library that applies to Windows 8.1 and 10 client operating systems, Windows RT 8.1, and Windows Server 2012 and 2012 R2. It is rated critical for all.

The update addresses a single vulnerability that occurs when the PDF library improperly handles objects in memory. This could be exploited to accomplish remote code execution. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users to view attacker-controlled PDF content.

There is a workaround for Windows 10 that involves editing the registry. Instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-102.aspx

The update fixes the problem by changing the way the affected systems handle objects in memory.

Important Updates

MS16-098 (KB 3178466) This is an update for the Windows kernel-mode drivers that applies to all supported versions of Windows, both client and server, and including the server core installation and Windows Server 2016 Technical Preview 5. It is rated Important for all.

The update addresses four Win32k elevation of privilege vulnerabilities that occur when the Windows kernel-mode driver fails to properly handle objects in memory. The attacker would have to be able to log onto the system. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way the Windows kernel-mode driver handles objects in memory.

MS16-100 (KB 3179577) This is an update for the Secure Boot feature in Windows 8.1 and 10 client operating systems, Windows RT 8.1, and Server 2012 and 2012 R2. It is rated important for all.

The update addresses a single vulnerability that allows a bypass of the security feature when Secure Boot improperly loads a boot manager that is affected by the vulnerability. Exploit requires the attack to have admin privileges and/or physical access to the device. There is a workaround that involves configuring BitLocker to use a Trusted Platform Module (TPM) + PIN; the instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-100.aspx

The update fixes the problem by blacklisting affected boot managers.

MS16-101 (KB 3178465) This is an update for Windows authentication methods that affects all supported versions of Microsoft Windows, both client and server, and including the server core installation and Windows Server 2016 Technical Preview 5. It is rated important for all.

The update addresses a pair of elevation of privilege vulnerabilities, one of which pertains to the Netlogon service and the other to Kerberos. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Windows authentication methods handle the establishment of secure channels.

MS16-103 (KB 3182332) This is an update for the ActiveSyncProvider component of Windows. It affects only Windows 10 and the Windows Server 2016 Technical Preview 5. It is rated important.

The update addresses a single information disclosure vulnerability that occurs when Universal Outlook fails to establish a secure connection. It could be exploited to obtain a user’s logon credentials. There are no published mitigations or workarounds for this vulnerability. Universal Outlook is the universal app version of Microsoft Outlook for PCs, tablets and phones.

The update fixes the problem by preventing Universal Outlook from disclosing usernames and passwords.

You may also like:

  • Third Party Patch Roundup – July 2016
  • July 2016 – Microsoft Patch Tuesday
  • Time to start thinking of the Exchange 2007 EOL


GFI Blog