Microsoft Patch Tuesday, October 2016

October has arrived with seasonal changes and a new Microsoft Patch Tuesday. This Patch Tuesday brings with it 10 bulletins with a total of 36 unique CVE's, definitely a step back from September's massive list, but also not a light month by any measure. Six of the bulletins are rated Critical and is mostly a list of our usual suspects, namely Internet Explorer, Edge, Graphics Component, Adobe Flash and the Microsoft Office suite. The sixth Critical bulletin is in Windows Object Linking and Embedding (OLE). The vulnerability allows an attacker to execute arbitrary code in the context of the victim's account by tricking the victim into opening a specific email or visiting a website.

Three of the bulletins are rated as Important and all of them are privilege escalation vulnerabilities of some kind. Finally there is the single rare appearance of a Moderate bulletin. This bulletin affects two DLLs (inetres.dll and inetcomm.dll) and exploiting a bug in them would allow an attacker to test for the presence of files on a file system. Attackers often test for file presence during an attack. For instance the technique is often used to test for the presence of anti-virus software or security research tools like sandboxes. If such tools or protections are discovered the exploit will simply not execute in order to prevent detection.

Below is a breakdown of each bulletin. Happy Patching and see you next month!

MS16-118
CVE-2016-3383, CVE-2016-3385, CVE-2016-3267, CVE-2016-3298, CVE-2016-3331, CVE-2016-3382, CVE-2016-3387, CVE-2016-3388, CVE-2016-3384, CVE-2016-3390, CVE-2016-3391
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS16-119
CVE-2016-3267, CVE-2016-3331, CVE-2016-3382, CVE-2016-3386, CVE-2016-7189, CVE-2016-7190, CVE-2016-7194, CVE-2016-3387, CVE-2016-3388, CVE-2016-3389, CVE-2016-3390, CVE-2016-3391, CVE-2016-3392
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-120
CVE-2016-3209, CVE-2016-3262, CVE-2016-3263, CVE-2016-3270, CVE-2016-3393, CVE-2016-7182, CVE-2016-3396
Critical
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for:

  • All supported releases of Microsoft Windows
  • Affected editions of Microsoft Office 2007 and Microsoft Office 2010
  • Affected editions of Skype for Business 2016, Microsoft Lync 2013, and Microsoft Lync 2010

This security update is rated Important for:

  • Affected editions of Microsoft .NET Framework
  • Affected editions of Silverlight

MS16-121
CVE-2016-7193
Critical
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The update addresses the vulnerability by changing the way Microsoft Office software handles RTF content.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-122
CVE-2016-0142
Critical
Security Update for Windows Object Linking and Embedding (OLE)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows OLE fails properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

The security update affects all supported releases of Microsoft Windows and is rated Critical on client operating systems and Moderate on servers.

MS16-123
CVE-2016-3266, CVE-2016-3341, CVE-2016-3376, CVE-2016-7185, CVE-2016-7211
Important
Security Update for Kernel-Mode Drivers

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

This security update is rated Important for all supported releases of Windows

MS16-124
CVE-2016-0070, CVE-2016-0073, CVE-2016-0075, CVE-2016-0079
Important
Security Update for Windows Registry

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.

This security update is rated Important for all supported releases of Microsoft Windows

MS16-125
CVE-2016-7188
Important
Security Update for Diagnostic Hub

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

This security update is rated Important for all supported editions of Windows 10.

MS16-126
CVE-2016-3298
Moderate
Internet Explorer Information Disclosure Vulnerability

This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the inetres.dll and inetcomm.dll drivers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.

This security update is rated Moderate for all supported releases of Windows. For more information, see the Affected Software section.

The security update affects Microsoft Windows Vista, Windows Server 2008, Windows 7 and Windows Sever 2008 R2 and is rated important on client and server operating systems.

MS16-127
APSB16-32
Critical
Security Update for Adobe Flash Player

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

EDIT 10/11: In MS16-123, CVE-2016-7191 has been changed to CVE-2016-7211.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.