August 2016 Patch Tuesday: Microsoft releases 9 security updates, 5 rated critical

For August 2016, Patch Tuesday isn’t too painful. Microsoft released nine security bulletins, five of which were rated critical due to remote code execution (RCE) vulnerabilities.

Why so few this month? Michael Gray, vice president of technology at Thrive Networks, suggested, “It stands to reason that Microsoft may have kept things simple so as not to over-shadow the release of their Windows 10 Anniversary update.”

Critical

MS16-095 is the cumulative monthly fix for Internet Explorer. It resolves five memory corruption vulnerabilities and four information disclosure flaws.

MS16-096 is the monthly cumulative patch for Microsoft Edge. It addresses eight bugs, four of which are memory corruption flaws, one Microsoft PDF RCE vulnerability and three information disclosure holes.

MS16-097 is a security update to address RCE vulnerabilities in Microsoft graphics component. It is rated critical for all supported versions of Windows, Office 2007 and 2010, Skype for Business 2016, as well as Lync 2010 and 2013.

MS16-099 is the fix for Office, specifically three Office memory corruption vulnerabilities, one graphics component memory corruption vulnerability and one Microsoft OneNote information disclosure bug. Bobby Kuzma, CISSP, systems engineer at Core Security, added:

This Office update includes a fix for an ASLR bypass. While technologies like Address Space Layout Randomization make it more difficult for attackers to exploit overflow conditions, they are not a panacea. Defense in depth is the order of the day.

But hey, look on the bright side. There weren’t any font handling vulnerabilities this month.

MS16-102 resolves one RCE flaw in Microsoft Windows PDF library. According to Core Security principal software engineer Jon Rudolph:

The big one to keep an eye out for this month is CVE-2016-3319 aka “Microsoft PDF Remote Code Execution Vulnerability,” which is especially bad if your default browser is Edge configured to automatically show PDF content from websites. By exploiting this vulnerability, an attacker could assume the same permissions as the logged in user. Fortunately, no exploits have been seen in the wild for this yet. It hasn’t been publicly disclosed, although with the prevalence of PDF format, it’s a safe bet that this going to live in the attacker’s toolkits for years to come.

Important

MS16-098 patches four elevation of privilege vulnerabilities in Windows kernel-mode drivers.

MS16-100 resolves a security feature bypass bug in Windows Secure Boot. If exploited, Microsoft said an attacker “could disable code integrity checks, allowing test-signed executables and drivers to be loaded into a target device. Furthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.” The patch blacklists affected boot managers.

MS16-101 fixes two elevation of privilege vulnerabilities by updating how Windows authentication methods handle the establishment of secure channels; one is a Kerberos EoP flaw, and the other is a Netlogon EoP bug. Kuzma said it impacts “all Windows versions, officially back to Vista. Bet you a dollar that XP is vulnerable, too.”

MS16-103 addresses an information disclosure flaw in ActiveSyncProvider for Windows 10 and Windows 10 Version 1511.

“The vulnerability could allow information disclosure when Universal Outlook fails to establish a secure connection,” Microsoft noted. “The update addresses the vulnerability by preventing Universal Outlook from disclosing usernames and passwords.”

That’s it for August. Happy patching!