Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for September 13, 2016.

 

Welcome to the September Patch Tuesday update. This month was busy month where Microsoft released a total of Fourteen (14) new security bulletins, including one for Adobe Flash . For this month, Seven (7) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Seven (7) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-104

3183038

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Information disclosure

-Elevation of Privilege

-Security Bypass

MTIS16-049

Covered Products:

  • NSP
  • Application Control
  • BOP
  • Host IPS
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-105

3183043

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information Disclosure

MTIS16-049

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-106

3185848

Security Update for Microsoft Graphics Component

Critical

-Remote Code Execution

-Elevation of Privileges

-Information Disclosure

MTIS16-050

Covered Products:

  • Application Control
  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-107

3185852

Security Update for Office

Critical

-Memory Corruption

-Security Bypass

-Information Disclosure

-Spoofing

MTIS16-050

Covered Products:

  • Application Control
  • NSP
  • Host IPS
  • Vulnerability Manager
  • BOP
  • Under Analysis:
  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-108

3185883

Security Update for Microsoft Exchange Server

Critical

-Open Redirect

-Information Disclosure

-Elevation of Privileges

MTIS16-050

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-109

3182373

Security Update for Silverlight

Important

-Memory Corruption

MTIS16-050

Covered Products:

  • Application Control
  • Vulnerability Manager
  • BOP
  • Host IPS

Under Analysis:

  • Firewall Enterprise

MS16-110

3178467

Security Update for Windows

Important

-Elevation  of Privilege

-Information Disclosure

-Remote Code Execution

-Denial of Service

MTIS16-051

Covered Products:

  • NSP
  • Web Gateway
  • BOP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-111

3186973

Security Update for Windows Kernel

Important

-Elevation  of Privilege

MTIS16-051

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-112

3178469

Security Update for Windows Lock Screen

Important

-Elevation  of Privilege

MTIS16-051

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-113

3185876

Security Update for Windows Secure Kernel Mode

Important

-Information Disclosure

MTIS16-051

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-114

3185879

Security Update for Windows SMBv1 Server

Important

-Remote Code Execution

MTIS16-051

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • Web Gateway

MS16-115

3188733

Security Update for Windows PDF Library

Important

-Remote Code Execution

MTIS16-051

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-116

3188724

Security Update  in OLE Automation for VBScript Scripting Engine

Critical

-Information Disclosure

MTIS16-051

Covered Products:

  • Application Control
  • BOP
  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS16-117

3188128

Security Update for Adobe Flash Player

Critical

N/A

N/A

Covered Products:

  • Not Tested

Under Analysis:

  • Not Tested

 

 

 

 

 

 

 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-104 (CVE-2016-3247, 3291, 3292, 3295, 3297, 3324, 3325, 3351, 3353, and 3375 )

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The update addresses the vulnerabilities by correcting how Internet Explorer handles:

  • zone and integrity settings.
  • cross-origin content.
  • objects in memory.
  • .URL files.

MS16-105 (CVE-2016-3247, 3291, 3294, 3295, 3297, 3325, 3330, 3350, 3351, 3370, 3374, and 3377)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerabilities by:

  • modifying how Microsoft Edge and certain functions handle objects in memory.
  • modifying how the Chakra JavaScript scripting engine handles objects in memory.
  • correcting how Microsoft Edge handles cross-origin requests.
  • ensuring that Microsoft Edge properly implements the Address Space Layout Randomization (ASLR) security feature.
  • helping to ensure that Microsoft Edge properly validates page content.

MS16-106 (CVE-2016-3348, 3349, 3354, 3355, and 3356)
The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for supported editions of Windows 10 Version 1607 and rated Important for all other supported releases of Windows.

The security update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers and the Windows Graphics Device Interface(GDI) handle objects in memory and by preventing instances of unintended user-mode privilege elevation.

MS16-107 (CVE-2016-0137, 0141, 3357 thru 3366, and 3381 )

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

The security update addresses the vulnerabilities by correcting how:

  • Microsoft Office saves documents.
  • Click-to-Run components handle memory addresses.
  • affected versions of Office and Office components handle objects in memory.
  • Microsoft Outlook determines the end of MIME messages.

MS16-108 (CVE-2016-0138, 3378, and 3379)

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.

 

The security update addresses the vulnerabilities by correcting how Microsoft Exchange:

  • parses certain unstructured file formats.
  • handles open redirect requests.
  • handles Microsoft Outlook meeting invitation requests.

MS16-109 (CVE-2016-3367)

The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. It affects Silverlight5 and dev runtime, and is for Mac, and all versions of Windows.

The update addresses the vulnerability by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder.

 

MS16-110 (CVE-2016-3346, 3352, 3368, and 3369)

the vulnerabilities could allow remote code execution if an attacker creates a specially crafted request and executes arbitrary code with elevated permissions on a target system. Itanium servers are not affected.

The security update addresses the vulnerabilities by:

  • correcting how Windows enforces permissions.
  • preventing NT LAN Manager (NTLM) Single Sign-On (SSO) authentication to non-private SMB resources when users are signed in to Windows via a Microsoft Account (https://www.microsoft.com/account) and connected to a “Guest or public networks” firewall profile.
  • correcting how Windows handles objects in memory.

MS16-111 (CVE-2016-3305, 3306, 3371, 3372, and 3373)
The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

The security update addresses the vulnerabilities by correcting how Windows handles session objects, and by correcting how the Windows Kernel API enforces user permissions and restricts access to user information.

 

MS16-112 (CVE-2016-3302)

The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen.

Does NOT affect Windows 7 and older machines.

The security update addresses the vulnerability by correcting the behavior of the Windows lock screen to prevent unintended web content from loading.

 

MS16-113 (CVE-2016-3344)

The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.

The security update addresses the vulnerability by correcting how Windows handles objects in memory to prevent information disclosure.

 

MS16-114 (CVE-2016-3345)

On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems, the vulnerability could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMBv1) Server. The vulnerability does not impact other SMB Server versions. Although later operating systems are affected, the potential impact is denial of service.

The security update addresses the vulnerability by correcting how the Microsoft SMBv1 Server handles specially crafted requests.

 

MS16-115 (CVE-2016-3370, and 3374)

The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.

The security update addresses the vulnerabilities by correcting how certain functions handle objects in memory.

 

MS16-116 (CVE-2016-3375)

The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, MS16-116, and the update in MS16-104.

This security update, in conjunction with the Internet Explorer update in MS16-104, addresses the vulnerability by correcting how the Microsoft OLE Automation mechanism and the VBScript Scripting Engine in Internet Explorer handle objects in memory.

MS16-117 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for September 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman