Hello everyone,

Again, apologies for the delay on this. Here is the completed Patch Tuesday newsletter for July.

 

Welcome to the July Patch Tuesday update. This month was an average month where Microsoft released a total of Eleven (11) new security bulletins including one for Adobe FLASH. For this month, Five (5) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Six (6) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

  This month’s patches include the following:

Bulletin Number

KB Number

0Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-084

3169991

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Security Bypass

-Information disclosure

-Browser Spoofing

MTIS16-044

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-085

3169999

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Security Bypass

-Information Disclosure

-Browser Spoofing

MTIS16-045

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-086

3169996

Security Update for Jscript and VBScript

Critical

Memory Corruption

MTIS16-046

Covered Products:

  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-087

3170005

Security Update for the Microsoft Print Spooler

Critical

- Remote Code Execution

-Print Spooler Elevation of Privilege.

 

MTIS16-046

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager Under Analysis:
  • Web Gateway
  • DAT

Firewall Enterprise

MS16-088

3170008

Security Updates for Office

Important

-Memory Corruption

-Remote code Execution

MTIS16-046

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-089

3170050

Security Update for Windows Secure Kernel Mode

Important

Secure Kernel Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-090

3171481

Security Update for Windows Kernel-Mode Drivers

Important

-Elevation  of Privilege

-GDI Information Disclosure

MTIS16-046

Covered Products:

  • NSP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-091

3170048

Security Update for .Net Framework

Important

-.NET Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-092

3171910

Security Update for Windows Kernel

Important

-File System Security Feature Bypass

-Kernel Information Disclosure

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-094

3177404

Security Update for Secure Boot

Important

- Secure Boot Security Bypass Feature

MTIS16-046

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-093

3174060

Security Update for Adobe Flash

Critical

Security Update for Adobe Flash Player

N/A

N/A

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-084 (CVE-2016-3204, 3240, 3241, 3242, 3243, 3245, 3248, 3259, 3261, 3273, 3274, 3276, and 3277)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Modifying how the JScript and VBScript scripting engines handle objects in memory
  • Correcting how the Microsoft Browser XSS Filter validates JavaScript
  • Changing how certain functions in Internet Explorer handle objects in memory
  • Correcting how Internet Explorer parses HTML


MS16-085 (CVE-2016-3244, 3246, 3248, 3259, 3260, 3265, 3269, 3271, 3273, 3274, 3276, and 3277)

The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

The update addresses the vulnerabilities by:

  • Ensuring that Microsoft Edge properly implements Address Space Layout Randomization (ASLR)
  • Modifying how Microsoft Edge handles objects in memory
  • Modifying how the Chakra JavaScript scripting engine handles objects in memory
  • Changing the way certain functions handle objects in memory
  • Fixing how the Microsoft Browser XSS Filter validates JavaScript
  • Correcting how the Microsoft browser parses HTTP responses
  • Correcting how Microsoft Edge parses HTML


MS16-086 (CVE-2016-3204)
The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system.

The update addresses the vulnerability by modifying how the JScript and VBScript scripting engines handle objects in memory.

 

MS16-087 (CVE-2016-3238 and 3239)

The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.

The update addresses the vulnerabilities by:

  • Correcting how the Windows Print Spooler service writes to the file system
  • Issuing a warning to users who attempt to install untrusted printer drivers


MS16-088 (CVE-2016-3278 thru 3284)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how:

  • Office handles objects in memory
  • Certain functions handle objects in memory
  • Windows validates input before loading libraries


MS16-089 (CVE-2016-3256)

The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory. This security update is rated Important for all supported releases of Windows 10.

The security update addresses the vulnerabilities by correcting how:

  • The Windows kernel-mode driver handles objects in memory.
  • The Windows GDI component handles objects in memory.

 

MS16-090 (CVE-2016-3249, 3250, 3251, 3252, 3254, and 3286)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by ccorrecting VPCI memory handling.

MS16-091 (CVE-2016-3255)

The vulnerability could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application.The security update addresses the vulnerabilities by correcting how:

The update addresses the vulnerability by modifying the way that the XML External Entity (XXE) parser parses XML input.

 

MS16-092 (CVE-2016-3258 and 3272)

The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to determine how a low integrity application can use certain object manager features.

The security update addresses the vulnerabilities by adding a validation check to the Windows kernel that determines how a low integrity application can use certain object manager features, and by correcting how the Windows kernel handles certain page fault system calls.

 

MS16-094 (CVE-2016-3287)

The vulnerability could allow Secure Boot security features to be bypassed if an attacker installs an affected policy on a target device. An attacker must have either administrative privileges or physical access to install a policy and bypass Secure Boot.

The security update addresses the vulnerability by blacklisting affected policies.

 

MS16-093 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for June 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman