Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.

Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month's release.

MS16-120 addresses seven vulnerabilities in the Microsoft Graphics Component. Two of the vulnerabilities, CVE-2016-3393 and CVE-2016-3396, are arbitrary code execution flaws in the GDI component and font library respectively. Exploitation of these two flaws is achievable if a user navigates to a specifically crafted website or opens a specifically crafted file that is designed to exploit these flaws. Two privilege escalation flaws, CVE-2016-3270 and CVE-2016-7182, were also addressed where a flaw in how TrueType fonts are parsed or a specifically crafted application could elevate the user's privilege to that of an administrator. The remaining three vulnerabilities (CVE-2016-3209, CVE-2016-3262, CVE-2016-3263) are information disclosure flaws that could be used circumvent ASLR.

MS16-122 addresses CVE-2016-0142, an arbitrary code execution vulnerability in Microsoft Video Control. This vulnerability manifests as a failure to properly handle objects in memory and could be exploited if a user opens a specifically crafted file or launches a malicious executable. Attack scenarios where this might occur are email-based attacks or if a user downloads a file/executable and opens it on their machine.

MS16-127 updates the embedded Adobe Flash Player in Internet Explorer and Edge and to address all the vulnerabilities fixed in APSB16-32. For more detail on what is contained in the Adobe Flash Player bulletin, please refer to the bulletin posted on Adobe's website.

Bulletins Rated Important The following bulletins are rated important: MS16-121, MS16-123, MS16-124, MS16-125

MS16-121 addresses CVE-2016-7193, an arbitrary code execution vulnerability in all supported versions of Microsoft Office. CVE-2016-7193 manifests as a memory corruption flaw due to the way Office parses and handles Rich Text Format (RTF) files. Exploitation of this vulnerability requires that a user open a specifically crafted file that is designed to exploit this flaw.

MS16-123 addresses five local privilege escalation vulnerabilities that were identified in Windows Kernel-Mode Drivers. All five vulnerabilities are exploitable via an authenticated user executing a specifically crafted binary that exploits one of these flaws and elevates the user's privilege level to that of an administrator. Four of the vulnerabilities (CVE-2016-3266, CVE-2016-3376, CVE-2016-7185, CVE-2016-7211) manifest in the kernel itself while the fifth one (CVE-216-3341) manifests in the Windows Transaction Manager.

MS16-124 addresses four local privilege escalation vulnerabilities in the Windows Kernel. All four vulnerabilities (CVE-2016-0070, CVE-2016-0073, CVE-2016-0075, CVE-2016-0079) manifest as a result of the Windows Kernel API incorrectly permitting users to retrieve sensitive Registry information that could be used to then elevate a user's privileges to that of an administrator. Exploitation of these vulnerabilities could be achieved if a specifically crafted executable is launched on the target machine.

MS16-125 addresses CVE-2016-7188, a privilege escalation vulnerability in the Windows Diagnostics Hub. CVE-2016-7188 manifests as a result of the Windows Diagnostics Hubs Standard Collector Service failing to correctly sanitize user input, resulting in the unsafe loading of a library. Exploitation of this vulnerability requires that an authenticated user launch a specifically crafted executable that exploits this vulnerability.

Bulletins Rated Moderate MS16-126 is the sole security bulletin with a moderate severity rating this month and addresses CVE-2016-3298, an information disclosure vulnerability in the Microsoft Internet Messaging API. CVE-2016-3298 manifests as a flaw in how objects in memory are handled and if exploited, could allow an adversary to test if files exist on disk. Exploitation is achievable if a user navigates to a malicious website that exploits this vulnerability.

Coverage In response to the release of these bulletins, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules

  • Microsoft Bulletins: 40364-40381, 40383-40405, 40408-40412, 40418-40428