It is the first month for Microsoft’s new patching model. Older Windows OSes will be treated like Windows 10, with the patches all rolled into a big bundle meant to fix security and non-security issues. However, there will also be a monthly security update that is supposed to resolve that month’s issues without the previous month's fixes as well. On the third Tuesday of the month, the week after Patch Tuesday, Microsoft will release a preview of the upcoming patches so the non-security fixes can be tested to make sure the big rolled-up patch doesn’t blow anything up on some systems.
Microsoft released 10 security bulletins for October; five are rated critical, and four are rated as important and one is moderate. The majority of the security updates replace previous patches. Five are fixes for zero-day flaws.
(Apologies: I can apparently neither count nor read today and have updated with the correct number of critical flaws plus the moderate.)
Critical
All critical updates resolve at least one remote code execution vulnerability.
(0-day) MS16-118 is the cumulative security update for Internet Explorer. None of the 11 had been publicly disclosed, but one, CVE-2016-3298, is being exploited. That one is one of the three IE information disclosure bugs. The patch is meant to close those holes, as well as six memory corruption vulnerabilities and two elevation of privilege flaws.
(0-day) MS16-119 is the cumulative patch for Microsoft’s other browser, Edge. The update addresses 13 flaws: one RCE hole, seven memory corruption vulnerabilities, two elevation of privilege holes, two information disclosure flaws and one security feature bypass bug. Although none of the vulnerabilities had been publicly disclosed, the most dangerous one, a scripting engine RCE hole, CVE-2016-7189, is being exploited. (0-day)
(0-day) MS16-120 addresses a plethora of security vulnerabilities in all supported versions of Windows, Office 2007 and 2010, Skype for Business 2016, Microsoft Lync 2010 and 2013, and all editions of both Microsoft .NET Framework and Silverlight. CVE-2016-3393, a Windows graphics component RCE hole is being exploited even though it wasn’t publicly disclosed.
(0-day) But wait, there’s more for Office, as MS16-121 addresses an Office RTF remote code execution bug. The patch is for Office 2007, 2010, 2013, 2013 RT, 2016, Office for Mac 2011 and 2016, as well as Microsoft Office Compatibility Pack Service Pack 3 and Microsoft Word Viewer. Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2, Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1, Microsoft Office Web Apps 2010 Service Pack 2, Microsoft Office Web Apps Server 2013 Pack 1 and Office Online Server are also listed as being affected by the RCE.
An updated FAQ attempts to explain why a person with Word 2010 might not be offered the patch. “Some configurations will not be offered the update.”
Another FAQ tries to explain why you might not have any of the software that is listed as affected but still be offered the patch: “When updates address vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.”
Please note, CVE-2016-7193, an Office memory corruption flaw, also called an Office RTF RCE vulnerability, is being exploited.
MS16-122 is an oddball, since it is denoted as being the fix for an RCE in Microsoft Video Control. If an attacker exploits it, he or she could take control of your PC.
MS16-127 is the expected monthly fix for RCE holes in Adobe Flash Player. Being Flash and RCE, you can pretty well bet it is being exploited—like all of these, if not before the patch was released, then not long afterwards.
Important
MS16-123 addresses multiple vulnerabilities in Windows Kernel-mode drivers; the most severe could allow elevation of privilege. None of the four Win32K EoP bugs nor the one Windows Transaction Manager EoP hole had been publicly disclosed or exploited.
At the time of writing this piece, the link for MS16-124 redirected to MSN. Thankfully when manually inputting the expected link for MS16-124, you get the details for four elevation of privilege vulnerabilities in Windows Registry. This fix replaces previous kernel patches deployed in various months, such as September, August, July and February for various flavors of Windows.
After getting past another oops and redirect to MSN, MS16-125 is meant to patch another elevation of privilege bug but in Diagnostics Hub this time. This update replaces previous patches for the September cumulative update for Windows 10, but which one depends on which version of Windows you are running.
(0-day) MS16-126 is the fix for an information disclosure flaw in Microsoft Internet Messaging API, since it improperly handles objects in memory. An attacker who exploited this bug could “test for the presence of files on disk.” Most are replacement patches, but not all. Microsoft noted that although the vulnerability had not been publicly disclosed, it is being exploited.
Hopefully there won’t be any goofs in the patches like there were when adding links to take you to the security bulletins. Don't dawdle; there are zero-day holes to close ASAP.
Happy patching!