Authored by Vladimir Ceric
This Tuesday's update addresses 49 vulnerabilities within 10 security bulletins, of which five are rated as critical, and four of them are zero-day flaws.
After the start of the announced changes on the way patches are delivered on Patch Tuesday, which we covered in our yesterday's blog post, Microsoft has released the security bulletins for October 2016. Among affected products are Edge, Internet Explorer, Office, Windows, Skype for Business, and of course Adobe Flash Player, and most of the critical updates are for Remote Code Execution issues.
Critical Updates
MS16-118 (KB 3192887) This is a cumulative security update for Internet Explorer fixing issues which could allow remote code execution if a user views a specially crafted webpage using IE9, 10 or 11, gaining the attacker the same user rights as the current user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The update addresses the vulnerabilities by correcting how Internet Explorer handles objects in memory and namespace boundaries.
MS16-119 (KB 3192890) This is a similar cumulative security update like the previous one, this time for Edge browser, resolving remote code execution issues on Windows 10-based computers using Edge as a primary browser.
The patch modifies how Microsoft Edge and certain functions, like the Chakra JavaScript scripting engine, handle objects in memory, and restricts what information is returned to Microsoft Edge. It also changes the way Microsoft Browsers store credentials in memory and handle namespace boundaries, and corrects how Microsoft Edge Content Security Policy validates documents.
MS16-120 (KB 3192884) Yet another critical fix for remote code execution, but this time for the Microsoft Graphics Component, and it resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
This update is rated critical for all supported Windows versions, Office 2007 and 2010, Lync/Skype for Business 2010, 2013 and 2016, .NET Framework and Silverlight, and it addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.
Since it affects Windows operating systems since Vista SP2 and Server 2008 SP2 until Windows 10, including Windows RT 8.1, and covers seven vulnerabilities verified by CVE, this patch should not be taken lightly. Also, this is the only zero-day vulnerability on this batch which there were already registered exploits.
MS16-122 (KB 3195360) This vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user. Of course, if the user is logged on with administrative user rights, an attacker could take control of the affected system.
This security update is rated Critical for Windows Vista, 7, 8.1, RT 8.1, and Windows 10, and it fixes the vulnerability by correcting how Microsoft Video Control handles objects in memory.
MS16-127 (KB 3194343) And, as usual, this Patch Tuesday brought another update for Adobe Flash Player. It updates the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge, on all supported editions of Windows 8.1, RT 8.1, 10, and on Windows Server 2012 and 2012 R2.
The patch covers a set of 13 CVE vulnerabilities, described in Adobe Security Bulletin APSB16-32, and there are several known workarounds and mitigation actions for these issues. Apart from blocking Adobe Flash Player completely, of course.
Important Updates
MS16-121 (KB 3194063) This update resolves an Office RTF remote code execution vulnerability which exists in Microsoft Office, when the Office software fails to properly handle RTF files. It affects Office 2007, 2010, 2013 (including the RT version), 2016, Office for Mac 2011 and 2016, and some other Office apps and services, such as SharePoint Server 2010 and 2013.
An attacker who would successfully exploit this memory corruption vulnerability could run arbitrary code as the current user, and the update fixes the issue by changing the way Microsoft Office apps handle RTF content.
MS16-123 (KB 3192892) This security update resolves several vulnerabilities in various editions of Microsoft Windows, from Vista to 10 and Servers 2008 and 2012, where the more severe ones could allow elevation of privilege of an attacker.
Microsoft has not identified any mitigating factors or workarounds for these five CVE vulnerabilities, and this security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
MS16-124 (KB 3193227) Like the previous one, this update fixes a vulnerability that allows attackers to perform unauthorized privilege elevation and gain access to registry information, and corrects it by changing the way how the kernel API restricts access to this information.
It applies to variants of Microsoft operating systems from Windows Vista SP2 to Windows 10, and addresses four known CVE vulnerabilities, all marked as important.
MS16-125 (KB 3193229) This security update is rated Important for all supported editions of Windows 10, and resolves a vulnerability which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
The security update addresses this vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.
MS16-126 (KB 3196067) The last update in today's batch is marked as Moderate, and addresses an information disclosure vulnerability, when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploits this vulnerability could test for the presence of files on disk, but for an attack to be successful an attacker must persuade a user to open a malicious website.
The security update affects Windows Vista, 7, Server 2008 and 2008 R2, and is rated moderate on client and low on server operating systems. Also, note that you must install two updates to be protected from this vulnerability: this one, and the update in MS16-118.
You will find more details about all the updates listed above in the Security Bulletin Summary for October 2016.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
