This post was authored by Edmund Brumaghin and Jonah Samost

Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.

Bulletins Rated Critical
Microsoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical in this month’s release.

MS16-095 and MS16-096 are this month’s bulletins addressing security vulnerabilities associated with Microsoft Internet Explorer and Edge. The Internet Explorer bulletin addresses a total of nine vulnerabilities, including five memory corruption bugs and four information disclosure vulnerabilities. The Edge bulletin covers a total of eight vulnerabilities, including a remote code execution vulnerability, four memory corruption bugs and three information disclosure vulnerabilities. The Internet Explorer bulletin is rated Critical for affected Windows clients and Moderate for affected Windows Servers.

MS16-097 addresses three remote code execution vulnerabilities in the Windows Graphics Component (CVE-2016-3301, CVE-2016-3303, and CVE-2016-3304). These vulnerabilities are related to the way in which this component handles fonts and could be leveraged by attackers to gain code execution on affected systems. This vulnerability affects all supported version of Microsoft Windows. In addition, it affects several versions of Microsoft Office, Microsoft Lync, and Skype for Business.

MS16-099 addresses four vulnerabilities, including one information disclosure vulnerability and three memory corruption vulnerabilities affecting various versions of Microsoft Office. The memory corruption vulnerabilities could be leveraged to obtain remote code execution within the context of the currently running user if the user opens a specially crafted Office document. This update resolves CVE-2016-3313, CVE-2016-3316, CVE-2016-3317, and CVE-2016-3318.

MS16-102 addresses a vulnerability in the Microsoft Windows PDF Library (CVE-2016-3319) that could be used to by an attacker to gain the ability to execute code within the context of the currently running user if a specially crafted PDF document is opened on an affected system. On Windows 10 systems that are configured to use Microsoft Edge as the default browser, this vulnerability could be triggered by simply browsing to a website hosting a malicious PDF, as Edge will attempt to render the file contents automatically. This vulnerability is rated critical for all supported versions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

Bulletins Rated Important
Microsoft has listed bulletins MS16-098, MS16-100, MS16-101 and MS16-103 as Important in this month’s release.

MS16-098 resolves multiple local privilege escalation vulnerabilities, which can be triggered on Windows Vista through Windows Server 2012 R2.  These vulnerabilities stem from specific Windows kernel-mode drivers failing to properly handle objects in memory. If exploited, an attacker would be able to run arbitrary code in kernel mode. Microsoft has assigned four CVEs (CVE-2016-3308 through CVE-2016-3311) for these vulnerabilities.

MS16-100 addresses a secure boot bypass vulnerability that can be leveraged by an attacker who has either physical access to or administrative privileges on a device. This vulnerability is triggered when a boot manager is improperly loaded by Windows Secure Boot. Successful exploitation can lead to a Secure Boot integrity validation for Bitlocker bypass, disabling integrity checks and allowing test-signed drivers or executables to be loaded, among other things. All supported versions of Windows 8.1 through Windows 10 are affected; this vulnerability is classified as CVE-2016-3320.

MS16-101 addresses two elevation of privilege vulnerabilities. CVE-2016-3300 relates to how Windows Netlogon establishes a secure connection to systems whose domain controller is running either Windows Server 2012 or Windows Server 2012 R2. An attacker would require access to a domain-joined machine that points to one of these systems in order to leverage the vulnerability and elevate privileges on the domain-joined machine. CVE-2016-3237 is related to Kerberos reverting to NTLM as the default authentication protocol after improperly handling a password change request. In order to exploit this and bypass the Kerberos authentication mechanism, an attacker would need to launch a man-in-the-middle attack against the traffic between a target machine and its domain controller.  All supported versions of Windows are affected for the Kerberos elevation of privilege, while the netlogon vulnerability only affects all versions of Windows 8.1 and Server 2012.

MS16-103 addresses an information disclosure vulnerability in Universal Outlook when the service fails to establish a secure connection. From this disclosure, an attacker may obtain the username and password of the user. This vulnerability affects all versions of Windows 10 and is classified as CVE-2016-3312.

Coverage
In response to the release of these bulletins, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center, or Snort.org

Snort Rules: 39808-39829, 39831-39844