This post was authored by Jaeson Schultz.
Well it's Microsoft Patch Tuesday, again, and that must mean we are girding our systems against another round of security vulnerabilities. This month Microsoft has released fourteen (14) bulletins covering fifty (50) security vulnerabilities. There are seven bulletins in the set whose severity is considered "Critical". These "Critical" bulletins affect Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft Exchange Server, Microsoft Office, OLE Automation for VBScript Scripting Engine, and the Adobe Flash Player. The remaining seven bulletins impact products such as Silverlight, Windows, Windows Kernel, Windows Lock Screen, Windows Secure Kernel Mode, Windows SMBv1 Server, and the Microsoft Windows PDF Library.
Bulletins Rated Critical
Microsoft bulletins MS16-104, MS-105, MS16-106, MS16-107, MS16-108, MS16-116, and MS16-117 are rated as Critical in this month's release.
MS16-104 and MS-105 are this month's Internet Explorer and Microsoft Edge bulletins, respectively. These bulletins address a total of twenty-two (22) vulnerabilities comprised primarily of memory corruption and information disclosure vulnerabilities. Six (6) vulnerabilities are shared, affecting both IE and Edge. The most critical vulnerability affecting both products is a memory corruption vulnerability, CVE-2016-3295, concerns how objects are handled in memory. By directing the user to a specially crafted web page, an attacker could achieve remote code execution.
MS16-106 addresses a handful of vulnerabilities in Microsoft Graphics Component. The most severe vulnerability, CVE-2016-3356, affects how the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker could achieve remote code execution by directing the victim to a specially crafted web page, or by inducing the victim to open a specially crafted document file.
MS16-107 fixes thirteen vulnerabilities in Microsoft Office. The majority of vulnerabilities are memory corruption vulnerabilities, plus a security feature bypass, and a spoofing vulnerability. The most critical vulnerability in this set is CVE-2016-3357. If an attacker can convince their victim to open a specially crafted MS Office file, then remote code execution is possible.
MS16-108 resolves three vulnerabilities in Microsoft Exchange. Regular readers of the Talos blog might remember back in July when we discussed several vulnerabilities that Talos identified in Oracle's Outside In Technology. Oracle's Outside-In is a software library that is used to help parse a multitude of file types. By creating a custom file, an attacker could achieve remote code execution.
MS16-116 addresses a scripting vulnerability in Window OLE Automation for VBScript Scripting Engine. To exploit this vulnerability and execute code on the victim's machine the attacker would have to convince their victim to visit a compromised or malicious website. Please take note that according to Microsoft two updates must be installed in order to be protected from the vulnerability: both this update and the update contained in bulletin MS16-104.
MS16-117 updates the Adobe Flash libraries contained within Internet Explorer and Microsoft Edge. This bulletin fixes all twenty-nine (29) of the vulnerabilities identified by Adobe Security Bulletin APSB16-29. Honestly, there has been such a steady stream of vulnerabilities identified in Adobe Flash, that users would be wise to take steps that will hinder Flash from running in their web browser unsupervised.
Bulletins Rated Important
MS16-109 addresses a single vulnerability in how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder. By inducing a victim to view a custom silverlight application, remote code execution can be achieved.
MS16-110 resolves four vulnerabilities in Microsoft Windows. By exploiting the vulnerabilities addressed by this bulletin an attacker could potentially elevate privileges, brute force a user's NTLM password hash, conduct a denial of service attack, or even execute arbitrary code with elevated privileges.
MS16-111 fixes a handful of privilege elevation vulnerabilities in Windows Kernel. The vulnerabilities are all privilege escalation vulnerabilities, and can be triggered by an attacker executing a custom-designed application on a system.
MS16-112 addresses a single vulnerability in Windows Lock Screen. There are certain situations when a user's Windows lock screen may load web content. An attacker, having physical access to the victims locked computer, could either connect the computer to a malicious WiFi hotspot, or insert a mobile broadband adaptor into the victim machine. After exploiting this vulnerability an attacker could run code on the victim machine.
MS16-113 resolves a single information disclosure vulnerability concerning how Windows Secure Kernel Mode handles objects in memory. An attacker who is locally authenticated can exploit this vulnerability by running an application on the target system. Note that this information disclosure vulnerability alone would not be sufficient to compromise a system. An attacker would have to exploit this vulnerability along with other vulnerabilities in order to do so.
MS16-114 resolves a single remote code execution vulnerability in Windows Server Message Block 1.0 (SMBv1) Server. To exploit this vulnerability, an attacker would first need to authenticate to the SMBv1 server and also have the ability to open files on the victim's SMBv1 server.
MS16-115 fixes a pair of information disclosure vulnerabilities in Microsoft Windows PDF Library. The vulnerabilities concern how Windows PDF Library handles objects in memory. By successful exploitation of these vulnerabilities, an attacker could gain additional information which can be used to further compromise a target system.
Talos has released the following Snort Rules in response to these bulletins disclosures by Microsoft and Adobe. Please note that these rules are subject to change pending new vulnerability information. For the most up to date information, refer to your FireSIGHT Defense Center or Snort.org.
- Microsoft Bulletin SIDs: 40129, 40146, 40035-40036, 40073-40080, 40082-40124, 40127-40128, 40132-40145, 40147-40148
- Adobe Bulletin SIDs: 40151-40181