Microsoft recently released the patches for August 2016. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms16-aug
Takeaways –
No zero day vulnerabilities are currently known (code vulnerabilities that are actively being exploited) for any of the products that are being patched in August 2016.
The five vulnerabilities being patched in bulletins MS16-095 through MS16-097, MS16-099 and MS16-103 are classified as CRITICAL as they could allow remote code execution if successfully exploited.
Remote code execution exploits are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is possible via specially crafted files or media content. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, Security Feature Bypass, Denial of Service or Information Disclosure.
The August bulletins are identified as MS16-095 through MS16-0103.
CRITICAL patches for August
The CRITICAL vulnerabilities apply to Windows, Internet Explorer (all versions) and Edge (Windows 10 browser), Office, and Office Services and Web apps, Microsoft Communication Platforms and Software and could allow remote code execution if successfully exploited.
MS16-095 – Internet Explorer – Remote Code Execution/Information Disclosure – CRITICAL – Patch after testing
Bulletin MS16-095 includes nine patches. Five of which are CRITICAL memory corruption/remote code execution vulnerabilities. The remaining vulnerabilities for August are for Information Disclosure in Windows Explorer. The vulnerabilities are classified as MODERATE (for remote code execution) and Low for Information Disclosure on server operating systems. As of this time, none of the code vulnerabilities have been disclosed publicly nor has exploit code been identified.
MS16-096 – Edge Browser for Windows 10 – Remote Code Execution/Information Disclosure and Security Feature Bypass- CRITICAL – Patch after testing
Bulletin MS16-096 includes patches for a total of eight vulnerabilities for the Edge Browser for Windows 10. Four of which are CRITICAL browser or scripting engine memory corruption/remote code execution vulnerabilities. The remaining vulnerabilities are associated with Information Disclosure conditions in Windows 10 Edge. As of this time, none of the code vulnerabilities have been disclosed publicly nor has exploit code been identified.
MS16-097 – Windows, Office and Microsoft Communications Platforms and Software (including Skype for Business and Lync) – Microsoft Graphics Component – Remote Code Execution – CRITICAL
Bulletin MS16-097 includes patches for three remote code execution vulnerabilities for the Graphics Component (GDI) of all current versions of the following Microsoft products: Windows, Office, Office Communications Platforms and Software (includes Skype for Business 2016, Lync 2010 and 2013 and Microsoft Live Meeting Console). The patches are classified as CRITICAL even for Server Core Only installations. However, it should be noted that for Windows 8.1, RT 8.1, Windows 10 and Windows Server 2012 (base and R2), only one of the CRITICAL vulnerabilities applies (specifically – CVE-2016-3301).
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-098 – Windows – Kernel Mode Drivers – Elevation of Privilege – IMPORTANT
Bulletin MS16-098 resolves four IMPORTANT privilege escalation vulnerabilities for Windows Kernel Mode Drivers all current Windows Workstation and Windows Server (including server core only installations). The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Multiple elevation of privilege vulnerabilities exists when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-099 – Windows Office and Office Services/Web Apps – Remote Code Execution – One CRITICAL – four IMPORTANT
Bulletin MS16-099 resolves four memory corruption/remote code execution vulnerabilities (only one of which is classified as CRITICAL), and one IMPORTANT information disclosure vulnerability in all currently supported Microsoft Office and Office Services and Web Apps products.
The one CRITICAL vulnerability only applies to Word on Office 2013 (32 and 64 bit), Word 2013 RT and Word on Office 2016 (32 and 64 bit).
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-0100 – Windows Secure boot – Windows 8.1, Windows 10 and Server 2012 (including Server core only installs) – Security Feature Bypass – IMPORTANT
Bulletin MS16-100 resolves one Security Feature Bypass Vulnerability in the following Windows Operating Systems (including server core only installations): Windows 8.1, Windows RT 8.1, Windows 10 and Windows Server 2012 (base and R2). The security feature bypass vulnerability exists when Windows Secure Kernel Mode improperly a boot manager that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.
To exploit the vulnerability, an attacker who has gained administrative privileges or who has physical access to a target device could install an affected boot manager. The security update addresses the vulnerability by blacklisting affected boot managers.
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-101 – Windows Authentication methods – Elevation of Privilege/Information Disclosure Vulnerability – IMPORTANT
Bulletin MS16-101 resolves two elevation of privilege vulnerabilities in all currently supported Windows Workstations and Server versions (including server core only installations).
The first condition exists when Windows Netlogon improperly establishes a secure communications channel to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a domain-joined system. To exploit the vulnerability, an attacker would require access to a domain-joined machine that points to a domain controller running either Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.
The second condition exists when Kerberos improperly handles a password change request and falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.
An attacker who successfully exploited this vulnerability could use it to bypass Kerberos authentication. To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. The update addresses this vulnerability by preventing Kerberos from falling back to NTLM as the default authentication protocol during a domain account password change.
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-102 – Windows PDF library – Remote Code Execution – CRITICAL
Bulletin MS16-102 resolves one Remote Code Execution vulnerability in the PDF library the following Windows Workstation and Server products: Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012 and 2012R2, and server core installs of 2012R2. The vulnerability allows a remote code execution when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
MS16-103 – Windows 10 – ActiveSyncProvider – Information Disclosure – IMPORTANT
Bulletin MS16-103 resolves a single Information Disclosure vulnerability in Windows 10. An information disclosure vulnerability exists when Universal Outlook fails to establish a secure connection. An attacker could use this vulnerability to obtain the username and password of a user. The update addresses the vulnerability by preventing Universal Outlook from disclosing usernames and passwords.
As of this time, the vulnerabilities have not been exposed publicly nor has exploit code been identified.
AgriLife ISO Recommendation
Patches released on August 9 should be installed on IT resources running both Windows Server or workstation operating systems as soon as possible after appropriate testing.