Major Changes Ahead for Patch Tuesday
Today Microsoft have released 10 bulletins in total of which 5 are rated Critical, 4 are rated Important and a single is rated Moderate. Our clients need to be aware of a change in release strategy announced by Microsoft today which has been branded ‘patchocalypse’ by many Microsoft users. Their aim is to combine all updates into a single deployment package instead of issuing individual patches to remediate individual vulnerabilities, however it is not envisaged that all parts of their anticipated “rollup” be completed until early 2017.
However, we do not expect this to be a major disadvantage. It offers a major improvement in efficiency as it means less content to scan and less singular patch binaries to deploy throughout your environment, which in turn makes securing your environment easier – something which is already being done on the Windows 10 operating systems.
One of the downsides we can see is the ability to “rollback” an individual patch should an issue occur. In this new form, if any patch causes an issue on your systems then the only choice you have is to exclude the entire rollup. Robert Brown, Director of Services for Verismic says, “This is a really challenging time for an IT Security Officer. On the one hand you have to balance the safety of your network, and on the other you have to ensure any deployments do not significantly impact your helpdesk with undesired negative issues caused by that patch deployment. You may delay a while to see if any issues become public but in our experience, nothing beats a rigorous & transparent test plan.” Further details of this process can be found here.
Microsoft Office KB Updates
Last week Microsoft released 17 KB updates covering Office versions 2013 & 2016. This is one of the smallest releases we have seen for a while, possibly due because of the amount of work Microsoft have been spending to prepare for the patch rollup process above. Full details of that release can be found here.
Urgent Adobe Flash Update Needed
Earlier this week Adobe have released a patch called APSB16-25 to resolve issues with Flash Player on both Windows, OS X and Linux which allows attackers to execute arbitrary code via unspecified vectors. This vulnerability has been rated CVSS 10, if you have not already made preparations to deploy this update please start those immediately without delay. This particular vulnerability is a nasty one as it can exploit your systems over a network and does not require any authentication – meaning any user at any time.
| Bulletin ID | Description | Impact | Restart Requirement | Publically Disclosed | Exploited | Severity | CVSS Score |
| MS16-118 | Cumulative Security Update for Internet Explorer (3192887)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
Remote Code Execution | Yes | No | Yes | Critical | 9.3 |
| MS16-119 | Cumulative Security Update for Microsoft Edge (3192890)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
|
Remote Code Execution | Yes | No | Yes | Critical | 9.3 |
| MS16-120 | Security Update for Microsoft Graphics Component (3192884)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
|
Remote Code Execution | Yes | No | Yes | Critical | 9.3 |
| MS16-121 | Security Update for Microsoft Office (3194063)
This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
|
Remote Code Execution | Maybe | No | Yes | Critical | 9.3 |
| MS16-122 | Security Update for Microsoft Video Control (3195360)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.
|
Remote Code Execution | Yes | No | No | Critical | 9.3 |
| MS16-123 | Security Update for Windows Kernel-Mode Drivers (3192892)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
|
Elevation of Privilege | Yes | No | No | Critical | 7.2 |
| MS16-124 | Security Update for Windows Registry (3193227)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.
|
Elevation of Privilege | Yes | No | No | Important | 1.7 |
| MS16-125 | Security Update for Diagnostics Hub (3193229)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
|
Elevation of Privilege | Yes | No | No | Important | 7.2 |
| MS16-126 | Security Update for Microsoft Internet Messaging API (3196067)
This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.
|
Information Disclosure | Yes | No | Yes | Moderate | 4.3 |
| MS16-127 | Security Update for Adobe Flash Player (3194343)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
|
Remote Code Execution | Yes | NA | NA | Critical | NA |
