Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to https://technet.microsoft.com/en-us/security/gg309177.aspx.

This month's release is packed full of goodies, but you don't want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities.

Critical bulletins address vulnerabilities in (alphabetically):

  • Adobe Flash Player
  • Edge
  • Graphics Component
  • Internet Explorer
  • Video Control
  • Windows
    The remaining bulletins are rated Important or Moderate and address vulnerabilities in the following products (listed alphabetically):
  • Boot Manager*
  • Common Log File System Driver*
  • Edge*+
  • Graphics Component*
  • Internet Explorer*+
  • Kernel-Mode Drivers*
  • Office*
  • Virtual Hard Drive*
  • SQL Server*+
  • Windows / Windows Authentication Method / Windows Kernel* * addressed in one or more Important bulletin(s)
    + addressed in one or more Moderate bulletin(s)

Bulletins Rated Critical
Microsoft bulletins MS16-129 through MS16-132, MS16-141 (Adobe) and MS16-142 cover 14 CVE's and contain patches rated as Critical in this month's release.

MS16-129 for Microsoft Edge (on Windows 10) includes 17 total CVEs and addresses multiple remote code execution (RCE) vulnerabilities.

These vulnerabilities are exploited by simply browsing to a malicious site controlled by the actor or a compromised website that accepts or hosts user-provided content or advertisements. Much like the IE vulnerabilities in MS16-142, the malicious actor can't force the user to do anything, rather they have to entice the user to visit the site and/or the user must click a specially crafted URL. Some of the risks posed by these vulnerabilities include allowing an attacker to:

  • obtain browser window state from a different domain
  • obtain sensitive information from certain web pages
  • gain the same user rights as the current user
  • gain access to the user's My Documents folder
  • spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services

MS16-130 (CVE-2016-7212) addresses Critical vulnerabilities for multiple platforms to include Windows Clients: 10, 8.1, 7, & Vista and Windows Servers: 2016, 2012, 2012R2, 2008, & 2008R2. Other platforms not listed either past their support life cycle or are not affected. The vulnerability (CVE-2016-7212) is exploited by either convincing a user to open/load a malicious image file from an email or render it on a malicious website.

MS16-131 (CVE-2016-7248) for the Microsoft Video Control on Microsoft Windows Vista, 7, 8.1/RT 8.1, and Windows 10. The severity of this lies in that successful exploitation means the attacker could remotely execute code at the privilege level of the user currently logged in. If an attacker can convince a user to open either a specially crafted file, or a program from either a webpage or an email message, the attacker could successfully execute the exploit.

MS16-132 (CVE-2016-7205) addresses issues in Microsoft Graphics Component animation functionality in Windows 7, 8.1, & 10 and in Server 2008 R2, 2012, and 2012 R2. If exploited, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation is as simple as browsing to a malicious website with animated graphics.

MS16-141 is issued in conjunction with Adobe's release for an 0-day recently discovered in Adobe Flash Player. Adobe has released Security Bulletin APSB16-37 and includes CVE-2016-7857 through CVE-2016-7865.

MS16-142 for CVE-2016-7196, CVE-2016-7198, & CVE-2016-7241 for Internet Explorer. Depending on your platform, this vulnerability severity varies, for Windows clients with IE9 & 11, it is considered Critical. If you have Windows servers with IE9, 10, or 11 it is considered Moderate. This makes sense when you consider the dangers posed by the attack that would exploit this vulnerability. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Most servers do not have users logged in as administrators where as on a regular Windows client, many users are likely to stay logged in as an administrator. The easiest means to exploit the vulnerability would be for a user to visit a malicious website that appears benign on the surface and might not trigger any security software alerts. An attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment.

For those of you who may track these vulnerabilities by KB number, the numbers for the referenced items in this section are:

  • KB is N/A MS16-141 Security Update for Adobe Flash Player
  • KB 3198467 MS16-128 Cumulative Security Update for Internet Explorer
  • KB 3199057 MS16-129 Cumulative Security Update for Microsoft Edge
  • KB 3199120 MS16-132 Security Update for Microsoft Graphics Component
  • KB 3199151 MS16-131 Security Update for Microsoft Video Control
  • KB 3199172 MS16-130 Security Update for Microsoft Windows

Bulletins Rated Important
Here is where the bulk of the patches fall this month. Microsoft bulletins MS16-129 through 130 & 132 appear above under Critical bulletins, and they also contain additional patch information categorized Important. The following bulletins contain *only* Important updates and include MS16-133 through 135 and MS16-137 through 140. We have one remaining bulletin in this group, that will also have information on Moderate patches, MS16-136.

MS16-129 contains information for six CVEs ranked as Important affecting Edge. The vulnerability information is similar to that summarized in the Critical section above.

MS16-130 (CVE-2016-7221 and 7222) addresses Elevation of Privilege vulnerabilities for multiple platforms to include Windows Clients: 10, 8.1, 7, & Vista and Windows Servers: 2016, 2012, 2012R2, 2008, & 2008R2. Other platforms not listed are either past their support life cycle or are not affected. CVE-2016-7222 documentation indicates it only affects Windows 10 & Server 2016. To exploit it, a locally authenticated attacker could use Windows Task Scheduler to schedule a new task with a malicious UNC path. CVE-2016-7221, according to the bulletins, affects all platforms as previously listed. To exploit CVE-2016-7221, a locally authenticated attacker would need to run a specially crafted application.

MS16-132 as discussed above, contains information addressing a Critical vulnerability in Microsoft Graphics animation functionality. It also contains information for an Important vulnerability surrounding Microsoft Graphics and Open Type Font information detailed in CVE-2016-7210. There are multiple ways to exploit it such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The bulletin details specific workarounds for CVE-2016-7210 on both 32 & 64-bit systems, all requiring a restart of the system.

MS16-133 covers 12 CVEs addressing memory corruption, information disclosure, and denial of service (DoS) vulnerabilities, all rated Important. Products affected range from Office 2007 through the latest 2016 on Windows platforms, Office for Mac 2011 & 2016, and various Office Compatibility Packs. To exploit any of these vulnerabilities, the attacker would seek to have the user open a specially crafted file with an affected version of Microsoft Office software. The file could be sent as an email attachment, an instant message file, or be on a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file. If an attacker exploits any of these vulnerabilities, the risk includes one or more of the following as the attacker could:

  • view out of bounds memory
  • run arbitrary code in the context of the current user
  • install programs; view, change, or delete data; or create new accounts with full user rights
  • cause Office to stop responding, a DoS attack however it would not allow an attacker to execute code or to elevate their user rights
    MS16-134 address 10 CVEs covering Elevation of Privilege vulnerabilities in the Common Log File System (CFLS) Driver. The common method to exploit any of these would be to execute a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context. Affects Windows client platforms Vista, 7, 8.1, RT 8.1, 10 and server editions 2008, 2008 R2, 2012, and 2012 R2.

MS16-135 affects all supported releases of Windows and all vulnerabilities contained are ranked Important. It addresses Kernel-Mode driver vulnerabilities outlined in, CVE-2016-7214, CVE-2016-7215, CVE-2016-7218, CVE-2016-7246 & 7255 that include Elevation of Privilege and Information Disclosure. The most severe of the vulnerabilities ( CVE-2016-7215) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. After escalating the accounts privileges, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-136 update resolves vulnerabilities in Microsoft SQL Server and is rated Important for Microsoft SQL Server 2012, 2014 & 2016. There are six CVE's affecting this product: inclusively CVE-2016-7249 through 7254. Additionally, the security update also includes some important non-security fixes. First, the most severe vulnerabilities are multiple SQL RDBMS Engine elevation of privilege vulnerabilities (49, 50, & 54). When exploited, through pointer casting, these vulnerabilities could allow an adversary to view, change, or delete data; or create new accounts, provided the credentials of the account allow access to one of the affected SQL versions. Second there is one XSS API vulnerability (7251). In this vulnerability SQL Server MDS does not properly validate a request parameter on a SQL Server site, therefore a malicious actor could inject a client-side script that would spoof content, disclose information, or take any action that the user could take on the site on and appear to be actions of a targeted user. Third we have a vulnerability in Microsoft SQL Analysis Services (7252). When SQL Analysis Services improperly checks filestream path an attacker could gain additional database and file information if their credentials allow access to an affected SQL server database. Finally we have CVE-2016-7253, this vulnerability exists in Microsoft SQL Server Engine when SQL Server Agent incorrectly check ACLs on atxcore.dll. If exploited, the attacker could could gain elevated privileges allowing him/her to view, change, or delete data; or create new accounts.

MS16-137 contains three CVEs for Windows Authentication Methods: 1) Information Disclosure (CVE-2016-7220) vulnerability; 2) a DoS (CVE-2016-7237); and 3) an Elevation of Privilege (CVE-2016-7238). The most severe of these, CVE-2016-7238, requires the attacker to authenticate to a domain-joined system with a non-administrator user account. Then the attacker could elevate their permissions from unprivileged to administrator which thereby allows him/her to install programs; view, change or delete data; or create new accounts. A secondary method to exploit this would be to locally execute a specially crafted application designed to manipulate NTLM password change requests. CVE-2016-7220 is exploited when a locally-authenticated attacker runs a specially crafted application on a system resulting in information disclosure vulnerability, i.e. allowing them access to sensitive information. Independently, this vulnerability would not be sufficient for an attacker to compromise a system. However, when combined with additional vulnerabilities further exploit and compromise of the host is possible. The final Important vulnerability addressed in MS16-137 is CVE-2016-7237, a Local Security Authority Subsystem Service (LSASS) DoS vulnerability. A authenticated remote attacker who successfully exploited this vulnerability could cause a denial of service on a host by sending a specially crafted request.

MS16-138 addresses four CVEs: CVE-2016-7223 through 7226, detailing vulnerabilities in the Microsoft Virtual Hard Drive and the manner in which VHDMP kernel driver handles access to specific files. Exploitation of these vulnerabilities requires access to the local system and adequate permissions to execute a specially crafted application on the system.

MS16-139 is a relatively small bulletin compared to the other in this release. It has one CVE affecting two client operating systems Windows Vista & 7 Server and one server platform 2008 R2: CVE-2016-7216. The exploit occurs when the Windows Kernel API allows a user access to sensitive information. After gaining this access, a locally authenticated attacker could exploit this vulnerability by running a specially crafted application.

MS16-140 is ranked Important for all supported editions of Windows 8.1, RT 8.1, & 10 for clients and Windows Server 2012 & 2012 R2. It allows a Windows security bypass when Windows Secure Boot improperly loads a boot manager. Risks include:

  • disabled code integrity checks
  • allowing test-signed executables and drivers to be loaded
  • bypass Secure Boot Integrity Validation for BitLocker
  • bypass Device Encryption security feature MS16-142 contains information for two CVEs ranked as Important for IE. The vulnerability information itself is essentially the same as mentioned in the Critical section above, however the Moderate ranking is applicable for servers rather than the Critical ranking which is for clients.

For those of you who may track these vulnerabilities by KB number, the numbers for the referenced Important vulnerabilities in this section are:

  • KB 3193479 MS16-140 Security Update For Boot Manager
  • KB 3193706 MS16-134 Security Update for Common Log File System Driver
  • KB 3198467 MS16-128 Cumulative Security Update for Internet Explorer
  • KB 3199057 MS16-129 Cumulative Security Update for Microsoft Edge
  • KB 3199120 MS16-132 Security Update for Microsoft Graphics Component
  • KB 3199135 MS16-135 Security Update for Kernel-Mode Drivers
  • KB 3199168 MS16-133 Security Update for Microsoft Office
  • KB 3199172 MS16-130 Security Update for Microsoft Windows
  • KB 3199173 MS16-137 Security Update for Windows Authentication Methods
  • KB 3199641 MS16-136 Security Update for SQL Server
  • KB 3199647 MS16-138 Security Update to Microsoft Virtual Hard Drive
  • KB 3199720 MS16-139 Security Update for Windows Kernel

Bulletins Rated Moderate
Microsoft bulletins MS16-128 & 129 appear above in the list of Critical bulletins, and MS 16-136 appears in the Important bulletin section. These bulletins also contain information regarding Moderate patches and it is highly suggested that you read all of the information in all three of these bulletins.

Coverage
In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs:

40645-40694

40701-40706

40711-40726

40729 & 40730