Microsoft released 14 security bulletins for September, seven of which are rated critical due to remote code execution flaws. Microsoft in all its wisdom didn’t regard all RCEs as critical. There’s also an “important rated” patch for a publicly disclosed flaw which Microsoft claims isn’t a zero-day being exploited. But at least a 10-year-old hole is finally being plugged.
Next month marks a significant change as Microsoft says it intends roll out "servicing changes" that include bundled patches. Unless things change, not all Windows users will be able to pick and choose specific security updates starting in October.
MS16-104 is the monthly cumulative security fix for Internet Explorer. It patches 10 flaws made up of five RCE holes, three information disclosure flaws, one elevation of privilege vulnerability and a security feature bypass bug. All the RCEs are tied to memory corruption vulnerabilities. While none of the vulnerabilities has been publicly disclosed, Microsoft noted that one of the information disclosure bugs, CVE-2016-3351, is being exploited.
MS16-105 is the expected monthly fix for Microsoft Edge. The cumulative security update resolves seven RCE flaws tied to memory corruption vulnerabilities and five information disclosure holes.
MS16-106 is a security update for Microsoft Graphics Component; it is considered critical for Windows 10 version 1607 and important for other supported versions of Windows. Microsoft said it fixed an RCE in Windows Graphics Device Interface (GDI), a GDI elevation of privilege bug, a GDI information disclosure flaw and two Win32k elevation of privilege vulnerabilities.
Bobby Kuzma, a systems engineer at Core Security, noted, “MS16-106 is a re-release of the previous MS16-098 and MS15-097 for Server 2008. Oopsie. Looks like the same vulnerability just needed a bit more tender loving care to get it working on pretty much every currently supported flavor of Windows.”
MS16-107 is for Office. It resolves 10 Microsoft Office memory corruption vulnerabilities, a spoofing vulnerability, an information disclosure hole and an APP-V Address Space Layout Randomization (ASLR) bypass bug.
One of the fixes is for a 10-year-old vulnerability. It took Microsoft nine flipping months to push out the patch after it was notified of the flaw by enSilo security researcher Udi Yavo. According to an emailed statement, some of the details were discussed at Black Hat, “including that it also affected security vendors like AVG, Kaspersky, McAfee and Symantec.”
“Today Microsoft issued a patch to prevent attackers from exploiting the vulnerability we reported last month in its Microsoft Office, with the vulnerability stemming from their 10-year-old hooking engine, Detours. Unfortunately for Microsoft customers using Detours, you’re still vulnerable until you’ve patched. That means in the enterprise – with Detours integrated into thousands of products, including Microsoft Office – patching could take up to three weeks, if not longer. On top of that, patching this particular vulnerability is even more complicated because fixing it requires a recompilation of each product individually.
To support enterprise security teams in determining which products and applications are affected by the Detours vulnerability we found, we’ve launched a diagnostic tool. The tool is available on GitHub at https://github.com/BreakingMalwareResearch/Captain-Hook.”
MS16-108 patches RCE vulnerabilities in Microsoft Exchange Server, as well as an open redirect flaw, an elevation of privilege hole and an information disclosure vulnerability.
Kuzma said, “I’m cringing as I read the description of this vulnerability… Remote Code Execution or Information disclosure via specially crafted attachments, including Meeting Invitation requests… across Exchange 2007, 2010, 2013… And 2016? To be fair, it is an issue with an Oracle provided library, but still.”
MS16-116 provides the fix for a memory corruption vulnerability that exists in Microsoft’s OLE Automation mechanism and its VBScript Scripting Engine.
MS16-109 provides the fix for Silverlight. Although only rated as important, it resolves an RCE vulnerability.
MS16-110 also resolves RCE vulnerabilities in Windows, but different versions are affected differently, meaning some also are affected by an information disclosure hole, a denial of service flaw, or a Windows Permissions Enforcement elevation of privilege bug. The information disclosure flaw has been publicly disclosed, although Microsoft claims it is not yet being exploited.
A zero-day vulnerability rated important seems to make no sense. Microsoft said the information disclosure hole “exists when Windows fails to properly validate NT LAN Manager (NTLM) Single Sign-On (SSO) requests during Microsoft Account (MSA) login sessions. An attacker who successfully exploited the vulnerability could attempt to brute force a user’s NTLM password hash.”
MS16-111 is the patch for Windows Kernel. It resolves five elevation of privilege vulnerabilities, two of which are Windows Session Object EoP flaws and three are Windows Kernel EoP holes.
Well now, you don’t see this every month. MS16-112 is a security update for Windows Lock Screen. Microsoft noted that the “vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen.”
MS16-113 provides the fix for an information disclosure vulnerability in Windows Secure Kernel Mode.
MS16-114 is “another rehash,” according to Kuzma. “It started life as MS15-083 impacting Vista and Server 2008, but now adds Remote Code Execution to its repertoire on Windows 7 and Server 2008 R2, and Denial of service on Windows 8 and newer. Microsoft’s improving. Given the choice, I’d rather have a DoS than a RCE any day of the week.”
MS16-115 will plug up information disclosure vulnerabilities in Microsoft Windows PDF Library.
As for the Patch Tuesday changes that are scheduled to roll out in October, Microsoft has already changed how much info is provided. Now they will feed users one big bundle of patches. Let’s hope there isn’t one in the batch that royally messes things up. Perhaps Microsoft is starting to think users are like mushrooms: best kept in the dark and fed feces? At any rate, happy patching!