Hello everyone,

   

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for June 2016.

   

Welcome to the June Patch Tuesday update. This is another busy month, Microsoft released a total of Sixteen (16)! new security bulletins. For this month, Five (5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eleven (11) are rated Important.

   

Clarification of the Intel Security Coverage column in the table below

  Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-063

3163649 Cumulative Security Update for Internet Explorer Critical -Memory Corruption

-Elevation of Privilege

MTIS16-042

Covered Products:

  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Web Gateway

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-068

3163656 Cumulative Security Update for Microsoft Edge Critical-Memory Corruption

-Security Bypass

-PDF Information Disclosure

MTIS16-042 Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-069

3163640 Security Update for Jscript and VBScript Critical Memory Corruption MTIS16-042Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
  • BOP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-070

3163610 Security Update for Microsoft Office Critical- Memory Corruption

- Information Disclosure

-DLL Side Loading

MTIS16-042

Covered Products:

  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-071

3164065 Security Update for Microsoft Windows DNS Server Critical -Use After Free MTIS16-042Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-072

3163622 Security Update for Group Policy Important Elevation of Privilege MTIS16-043 Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-073

3164028 Security Update for Windows Kernel Mode Drivers Important-Elevation  of Privilege

-Virtual PCI Information Disclosure

MTIS16-043

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-074

3164036 Security Update for Microsoft Graphics Component Important-Information Disclosure

-Elevation of Privilege

MTIS16-043Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise

MS16-075

3164038

Security Update for Windows SMB Server Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-076

3167691 Security Update for Netlogon Important - Memory Corruption

-Remote Code Execution

MTIS16-043Covered Products:
  • Vulnerability Manager
  • Host IPS
  • BOP
  • Application Control

Under Analysis:

  • Firewall Enterprise
MS16-077 3165191 Security Update for Web Proxy Autodiscovery (WPAD) Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-078

3165479 Security Update for Windows Diagnostic Hub Important Elevation of Privilege MTIS16-043

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-079

3160339 Security Update for Microsoft Exchange Important Information Disclosure MTIS16-043Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-080

3164302

Security Update for Windows PDF Important-Information Disclosure

-Remote Code Execution

MTIS16-043Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-081

3164063*


Security Update for Active Directory

Important

Denial of Service MTIS16-043Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise

MS16-082

3165270Security Update for Microsoft Windows StrucutredQuery ComponentImportantDenial of ServiceMTIS16-043Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise

 

* As of this posting this KB article hadn’t been posted. The link should work once Microsoft posts the related KB

 

Let’s take a closer look at each of the Microsoft Security Bulletins:


MS16-063 (CVE-2016-0199, 0200, 3205, 3205, 3206, 3207, 3210, 3211, 3212 and 3213)

  This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.

  The update addresses the vulnerabilities by:

    • Modifying how Internet Explorer handles objects in memory
    • Modifying how the JScript and VBScript scripting engines handle objects in memory
    • Fixing how the Internet Explorer XSS Filter validates JavaScript
    • Correcting how Windows handles proxy discovery


MS16-068 (CVE-2016-3198, 3199, 3201, 3202, 3203, 3214, 3215, and 3222) 

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

The update addresses the vulnerabilities by:

    • Correcting how the Edge Content Security Policy (CSP) validates documents

      Modifying how the Chakra JavaScript scripting engine handles objects in memory

      Modifying how Windows parses .pdf files

 

MS16-069 (CVE-2016-3205, 3206, and 3207)
This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. 

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

 

MS16-070 (CVE-2016-0025, 3233, 3234, and 3235)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

The security update addresses the vulnerabilities by correcting how:

    • Office handles objects in memory
    • Certain functions handle objects in memory
    • Windows validates input before loading libraries


MS16-071(CVE-2016-3227) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.

The security update addresses the vulnerability by modifying how DNS servers handle requests.

 

MS16-072 (CVE-2016-3223)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.

 

MS16-073 (CVE-2016-3218,  3221, and 3232)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.


MS16-074 (CVE-2016-3216, 3219, and 3220)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.

The security update addresses the vulnerabilities by correcting how:

    • The Windows Graphics Component (GDI32.dll) handles objects in memory

    • The Windows kernel-mode driver (Win32k.sys) handles objects in memory and helps to prevent unintended elevation of privilege from user-mode
    • The Adobe Type Manager Font Driver (ATMFD.dll) handles objects in memory


MS16-075 (CVE-2016-3225) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.

The security update addresses the vulnerability by correcting how Windows Server Message Block (SMB) Server handles credential forwarding requests.

 

MS16-076 (CVE-2016-3228)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.

The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels.

 

MS16-077 (CVE-2016-3213 and 3236)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.

The update addresses the vulnerabilities by correcting how Windows handles proxy discovery, and WPAD automatic proxy detection in Windows.

 

MS16-078 (CVE-2016-3231)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows 10.

The security update addresses the vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.

 

MS16-079 (CVE-2016-0028)

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages.

 

MS16-080 (CVE-2016-3201, 3203, and 3215)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

The update addresses the vulnerabilities by modifying how Windows parses .pdf files.

 

MS16-081 (CVE-2016-3226)

This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.

The security update addresses the vulnerability by correcting by correcting how machine accounts are created.

 

MS16-082 (CVE-2016-3230)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

The update addresses the vulnerability by correcting how the Windows Search component handles objects in memory.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for June 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman

  Note: I also send this posting out via email, If you would like to be added to the distribution list please send an email to Kelly.Housman@intel.com.