SANS ISC: Microsoft Patch Tuesday, August 2016

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Today, Microsoft released a total of 9 security bulletins. 5 of the bulletins are rated "critical", the rest are rated "important".

You can find our usual summary here:  https://isc.sans.edu/mspatchdays.html?viewday=2016-08-09 (or via the API in various parsable formats)

Some of the highlights:

MS16-095/096: The usual Internet Explorer and Edge patches. Microsoft addresses nine vulnerabilities for Internet Explorer, and 8 for Edge. Note that there is a lot of overlap. Kind of makes you wonder how much Edge differs from Internet Explorer.

MS16-097: This patches three vulnerabilities in Microsoft Windows' Graphics Component. The vulnerabilities can be reached via Skype for Business or Lync.

MS16-098: 4 more privilege escalation flaws in Window's kernel mode drivers. 

MS16-099: This update patches five vulnerabilities in Microsoft Office. Note that Office for the Mac is affected as well. So is the Word Viewer.

MS16-100: The patch fixes a vulnerability that would allow bypassing of Secure Boot. Note that this update MAY affect dual boot of systems that use operating systems other than Windows.

MS16-101: Two similar vulnerabilities, affecting Kerberos nad Netlogon, are addressed in this update. Exploitation could lead to privilege escalation

MS16-102: In recent versions of Windows, Microsoft started to use its own PDF library. Sadly, it is vulnerable just like any other PDF library, and this update addresses one new vulnerability. Note that Microsoft does provide hints in the bulletin about how to disable rendering of PDFs in Edge. I am not sure if this is a good idea, but something you may want to consider.

MS16-103: This vulnerability only affects the "Universal" edition of Outlook, and could lead to data leakage.

My Patch Priority:

(I see it as really three groups: 1-5: remote code execution vulnerabilities, 6-7: Privilege Escalation, 8-9: others... Within each group it is difficult to prioritize)

1. MS16-095 Internet Explorer: Probably the widest history of exploits and largest attack surface
2. MS16-096 Edge: Just like above, but users typically still prefer Internet Explorer.
3. MS16-099 Office: Hard to tell users not to open Office documents.
4. MS16-102 PDF Library: Just like Office documents, it is hard to eliminate PDFs​
5. MS16-097 Graphics Component: Not as easy to exploit as the prior components, so I rate it a bit lower.
6. ​MS16-101 Authentication Methods:  "Only" a privilege escalation, and not remotely reachable if you lock down your perimeter.
7. MS16-098 Kernel Mode Drivers: I rate this one lower as it is only a privilege escalation, and there are probably 100s more that have not been patched yet.
8. MS16-103 Universal Outlook: This one is difficult to exploit and only affects a smaller number of users.
9. MS16-100 Secure Boot: While this could lead to a full/persistent compromise, the attacker first needs to get to the system, which is why I think you should patch this one last.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn