This post was authored by William Largent

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is has 11 bulletins addressing 49 vulnerabilities. 6 of these bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Print Spooler, Office and Adobe Flash Player.  The remaining bulletins are rated important and address vulnerabilities in Windows Kernel, Office, Kernel-Mode Drivers, .NET Framework, and Secure Boot.

Bulletins Rated Critical Microsoft bulletins MS16-084 through MS16-088, and MS16-093 are rated as critical in this month's release.

MS16-084 and MS16-085 are this month's Internet Explorer and Edge security bulletins respectively.  The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 15 vulnerabilities in total and resolves 9 memory corruption bugs, 1 security feature bypass bug, 3 information disclosure, and 2 spoofing bugs. The Edge bulletin addresses 13 vulnerabilities in total and resolves 7 memory corruption bugs, 1 security feature bypass, 3 information disclosure and 2 spoofing bugs. The IE bugs are rated critical on affected Windows clients but only Moderate on affected Windows Servers.


MS16-086 addresses CVE-2016-3204, a memory corruption bug caused by the way JScript and VBScript engines render  objects in memory in Internet Explorer. Successful exploitation of this bug could allow remote code execution in the context of the logged on user. An attacker can trick a user into visiting a specially crafted webpage to trigger this vulnerability.

MS16-087 is this month’s Microsoft Print Spooler bulletin, addressing CVE-2016-3238 and  CVE-2016-3239. CVE-2016-3238 involves the Print Spooler not properly validating print drivers in conjunction with installing a printer. Successful exploitation of this bug could lead to remote code execution. CVE-2016-3239 is a local privilege escalation bug that involves the way in which the Print Spooler writes to the underlying file system. To exploit this vulnerability, an attacker needs to log onto the affected system and run a specially crafted script or program.

MS16-088 is this month’s Microsoft Office bulletin and it addresses seven memory corruption vulnerabilities outlined in CVE-2016-3278 through CVE-2016-3284. The most severe could grant attackers code execution within the context of the current user following the opening of a specially crafted file. This file may be delivered in a variety of different ways such as via email or hosted on a web server. This vulnerability applies to several versions of Microsoft Office.

MS16-093 is an Adobe Flash Player security update for the Flash Player libraries found in Microsoft Internet Explorer 10 and 11 and Microsoft Edge. This security update addresses 24 vulnerabilities, which are further detailed in Adobe Security Bulletin APSB16-25.

Bulletins Rated Important Microsoft bulletins MS16-089, MS16-090, MS16-091, MS16-092, and MS16-094 are rated as important in this month's release.

MS16-089 addresses an information disclosure vulnerability in Windows Secure Kernel Mode (CVE-2016-3256). An attacker could gain access to sensitive information on a system by successfully exploiting this vulnerability. This vulnerability combined with the use of additional vulnerabilities could be used to further compromise a system. This security update applies to all supported versions of Windows 10.

MS16-090 addresses several vulnerabilities in Microsoft Windows Kernel-Mode Drivers. These local privilege escalation vulnerabilities could allow an attacker to elevate privileges and could be used to grant an attacker the ability to execute code in kernel mode. This security update is applicable to all supported versions of Windows.

MS16-091 addresses CVE-2016-3255 which in an information disclosure vulnerability in the .NET Framework related to the way in which .NET Framework parses XML input containing reference to external entities. Using specially crafted XML data, an attacker could obtain the ability to perform arbitrary file reads. This security update applies to several versions of .NET Framework.

MS16-092 resolves vulnerabilities in the Windows Kernel. A vulnerability in the Windows kernel exists that could allow an attacker to potentially manipulate files located outside of a low integrity security level application and requires an attacker to leverage additional vulnerabilities to successfully exploit (CVE-2016-3258). The Windows Kernel also suffers from an information disclosure vulnerability that could enable an attacker to disclose information between processes. This vulnerability requires local system access or the execution of a specially crafted application (CVE-2016-3272). This security update is applicable to all supported versions of Windows.

MS16-094 is a security update for Secure Boot and addresses CVE-2016-3287.  The vulnerability in Secure Boot could allow Secure Boot security features to be bypassed by an attacker with administrative or physical access to affected systems. Bypassing these security features could allow an attacker to disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target system and/or bypass Secure Boot Integrity Validation for BitLocker. This vulnerability affects all supported versions of Windows.

Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules Microsoft Bulletins: 39478-39487, 39491-39496, 39499-39525, 39530-39531
Adobe Bulletin: 39532-39559, 39563-39566, 39569-39572