For July, Microsoft released 11 security bulletins, six of which were rated critical due to remote code execution (RCE) vulnerabilities.
MS16-084 is the cumulative patch for Internet Explorer, fixing a plethora of RCE problems that an attacker could exploit if a victim viewed a maliciously crafted webpage using IE. The security update also addresses spoofing vulnerabilities, security feature bypass and information disclosure flaws.
MS16-085 is the monthly cumulative security update for Microsoft’s Edge browser. The most severe vulnerabilities could allow RCE. The patch also resolves security feature bypass issues, information disclosure problems and many memory corruption flaws.
MS16-086 is the cumulative fix for Jscript and VBScript to stop RCE if a victim visited a malicious site. Qualys CTO Wolfgang Kandek said this should be a priority after deploying both browser, Office and Flash Player patches.
MS16-087 is something different for a change. This patch fixes security problems in Windows Print Spooler components. As Core Security systems engineer Bobby Kuzma said, “It’s been a while since we’ve seen remote code execution in the print spooler of all places. It fails to validate printer drivers.” Microsoft said the most severe bug could allow RCE if an attacker can execute a man-in-the-middle attack on a workstation or print server or set up a rogue print server on a target network.
Knowing MS16-088 is for Office immediately puts it as a top priority if you don't want an attacker to take control of your box. The worst flaws could allow RCE if a victim opens a malicious Office file.
MS16-089 resolves a bug that could allow information disclosure when Windows Secure Kernel Mode mangles objects in memory. It a “a memory-handling information disclosure vulnerability,” Kuzma said. “An attacker with local access would be able to read things from memory that they have no permissions for, allowing this, in concern with other vulnerabilities, to lead to the compromise of a system.”
MS16-090 addresses vulnerabilities in Windows kernel-mode drivers. Microsoft said the “more severe vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected systems.”
MS16-091 patches an information disclosure vulnerability in Microsoft .NET framework. Of the security bulletins rated as “important,” Kandek advised giving this one top priority.
MS16-092 resolves holes in Windows kernel, both information disclosure and security feature bypass. The information disclosure flaw has been publicly disclosed, but Microsoft said it is not being exploited.
Kuzma explained, “This impacts the application whitelisting functionality on Windows 8.1 and newer. I suspect we’ll be seeing a lot more like this as researchers and attackers both look for ways to bypass this technology.”
MS16-094 fixes a flaw in Secure Boot security features that could by bypassed if an attacker installs an affected policy on a target device. However, an attacker would need either physical access or administrative privileges to pull that off.
“Secure boot isn’t very secure, I’m afraid, when policy application and handling errors strip away its most critical protections. An attacker being able to disable integrity checks is the first step in establishing difficult to detect and difficult to remove persistence. AND it could potentially disable BitLocker encryption. Sounds like this vulnerability was a great tool for Folks That Spy On People.”