Patch Tuesday Analysis - September 2016

Editor's Notes

• #6: NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.
• #10: Microsoft Announcement: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/
• #11: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Exploited in Wild CVE-2016-3351 User Targeted - Privilege Management Mitigates Impact 
• #12: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Ensure that your Internet Explorer version is at the latest for the OS you are installed on. Microsoft is only updating the latest version for each supported OS since January 2016. For details please see: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer Exploited in Wild CVE-2016-3351 User Targeted - Privilege Management Mitigates Impact Known issues with this security update Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.Nonsecurity-related fixes that are included in this security update General distribution release (GDR) fixes Individual updates may not be installed, depending on your version of Windows and the version of the affected application. See the individual articles to determine your update status.3191335Background image is positioned incorrectly by using inline elements in Internet Explorer 11 or Microsoft Edge 3191336"Permission Denied" script error in Internet Explorer 11 3191337Print image fails on websites by using X-Frame-Options: SAMEORIGIN header in Internet Explorer 11 3191338The getBoundingClientRect() method returns an incorrect value in Internet Explorer 11 3191341"Print all linked documents" doesn't print all linked documents in Internet Explorer 11 Multiple Microsoft Internet Explorer Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that Internet Explorer accesses objects in memory. The vulnerabilities could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment. In addition to installing this update are there any further steps I need to carry out to be protected from CVE-2016-3375? Yes. Although protecting Windows 10 systems from CVE-2016-3375 requires no additional steps other than installing the September Windows 10 cumulative update, for all other affected operating systems installing the 3185319 cumulative update by itself does not fully protect against CVE-2016-3375 — you must also install security update 3184122 in MS16-116 to be fully protected from the vulnerability. I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2. Does this mitigate these vulnerabilities? Yes. By default, Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone. Can EMET help mitigate attacks that attempt to exploit these vulnerabilities? Yes. The Enhanced Mitigation Experience Toolkit (EMET) enables users to manage security mitigation technologies that help make it more difficult for attackers to exploit memory corruption vulnerabilities in a given piece of software. EMET can help mitigate attacks that attempt to exploit these vulnerabilities in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer.
• #13: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities – Privilege Management Mitigates Impact Multiple Microsoft Edge Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that Microsoft Edge handles objects in memory. The vulnerabilities could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities.
• #14: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist in the way that certain Windows kernel-mode drivers handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers handle objects in memory. GDI Remote Code Execution Vulnerability – CVE-2016-3356 A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerabilities: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerabilities, and then convince users to open the document file.
• #15: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities – Privilege Management Mitigates Impact Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-3357. Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.
• #16: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted Why is Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries? Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities. For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory – July 2016. Microsoft Exchange Information Disclosure Vulnerability – CVE-2016-0138 An information disclosure vulnerability exists in the way that Microsoft Exchange Server parses email messages. The vulnerability could allow an attacker to discover confidential user information that is contained in Microsoft Outlook applications. To exploit the vulnerability, an attacker could use "send as" rights to send a specially crafted message to a user. The security update addresses the vulnerabilities by correcting how Microsoft Exchange parses certain unstructured file formats. Microsoft Exchange Open Redirect Vulnerability – CVE-2016-3378 An open redirect vulnerability exists in Microsoft Exchange that could lead to Spoofing. To exploit the vulnerability, an attacker could send a link that has a specially crafted URL, and convince the user to click the link. When an authenticated Exchange user clicks the link, the authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a legitimate website. By doing so, the attacker could trick the user and potentially acquire sensitive information, such as the user's credentials. Microsoft Exchange Elevation of Privilege Vulnerability – CVE-2016-3379 An elevation of privilege vulnerability exists in the way that Microsoft Outlook handles meeting invitation requests. To exploit the vulnerability, an attacker could send a specially crafted Outlook meeting invitation request with malicious cross-site scripting (XSS) capability to a user.
• #17: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Does not apply to Server Core edition User targeted vulnerabilities – Privilege Management Mitigates Impact In addition to installing this update are there any further steps I need to carry out to be protected from CVE-2016-3375? Yes. Although protecting Windows 10 systems from CVE-2016-3375 requires no additional steps other than installing the September Windows 10 cumulative update, for all other affected operating systems installing the 3184122 security update by itself does not fully protect against CVE-2016-3375 — you must also install Internet Explorer cumulative update 3185319 in MS16-104 to be fully protected from the vulnerability. Scripting Engine Memory Corruption Vulnerability – CVE-2016-3375 A remote code execution vulnerability exists in the way that the Microsoft OLE Automation mechanism and the VBScript Scripting Engine in Internet Explorer access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically via an enticement in email or instant message, or by getting them to open an email attachment. The update, in conjunction with the Internet Explorer update in MS16-104, addresses the vulnerability by modifying how the Microsoft OLE Automation mechanism and the VBScript Scripting Engine in Internet Explorer handle objects in memory.
• #18: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. There is a chance that after applying MS16-110 and rebooting MS13-079 could show up as required and will successfully install. So there is an edge case were previously MS13-079 was not applicable before and after applying this update would be applicable. The patch will install successfully. Microsoft Information Disclosure Vulnerability – CVE-2016-3352 An information disclosure vulnerability exists when Windows fails to properly validate NT LAN Manager (NTLM) Single Sign-On (SSO) requests during Microsoft Account (MSA) login sessions. An attacker who successfully exploited the vulnerability could attempt to brute force a user’s NTLM password hash. To exploit the vulnerability, an attacker would have to trick a user into browsing to a malicious website, or to an SMB or UNC path destination, or convince a user to load a malicious document that initiates an NTLM SSO validation request without the consent of the user. To validate MSA NTLM SSO authentication requests properly, it is imperative that Windows client operating system firewall profiles and enterprise perimeter firewalls are configured correctly. If users are connected to the “Guest or public networks” firewall profile it would imply that no enterprise perimeter firewall is present between the user and the Internet. The security update addresses the vulnerability by preventing NTLM SSO authentication to non-private SMB resources when users are signed in to Windows via a Microsoft Account network firewall profile for users who are signed in to Windows via a Microsoft account (https://www.microsoft.com/account) and connected to a “Guest or public networks” firewall profile. An enterprise perimeter firewall can be used to prevent this type of attack. See Knowledge Base Article 3285535 for guidance on configuring an enterprise perimeter firewall.
• #19: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities How could an attacker exploit these vulnerabilities? In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. For more information about Internet Explorer and the CV List, please see the MSDN Article, Developer Guidance for websites with content for Adobe Flash Player in Windows 8. Workarounds for the following: https://technet.microsoft.com/library/security/MS16-117 Prevent Adobe Flash Player from running Prevent Adobe Flash Player from running in Internet Explorer through Group Policy Prevent Adobe Flash Player from running in Office 2010 on affected systems Prevent ActiveX controls from running in Office 2007 and Office 2010 Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone Add sites that you trust to the Internet Explorer Trusted sites zone
• #20: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities Updating Flash Player requires updates for Flash Player, IE, Chrome, and Firefox WARNING This page and the download links will be decommissioned on Sep 29, 2016.   If you are downloading Adobe Flash Player for your personal use, please visit get.adobe.com/flashplayer.   Organizations that distribute Adobe Flash Player internally must have a valid license and AdobeID to download and distribute Flash Player binaries. Instructions and further details on obtaining a distribution license are available at the Adobe Flash Player Distribution Page.
• #21: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted
• #22: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. User targeted vulnerabilities – Privilege Management Mitigates Impact Microsoft Silverlight Memory Corruption Vulnerability - CVE-2016-3367 A remote code execution vulnerability exists when Microsoft Silverlight improperly allows applications to access objects in memory. The vulnerability could corrupt system memory, which could allow an attacker to execute arbitrary code. In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit the compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements. For example, an attacker could display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. However, in all cases an attacker would have no way to force a user to visit a compromised website. Instead, an attacker would have to convince a user to visit the website, typically by enticing the user to click a link in either an email or instant message. The update addresses the vulnerability by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder.
• #23: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Multiple Windows Session Object Elevation of Privilege Vulnerabilities Multiple Windows session object elevation of privilege vulnerabilities exist in the way that Windows handles session objects. A locally authenticated attacker who successfully exploited the vulnerabilities could hijack the session of another user. To exploit the vulnerabilities the attacker could run a specially crafted application. The update corrects how Windows handles session objects to prevent user session hijacking. Windows Kernel Elevation of Privilege Vulnerability – CVE-2016-3372 An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions. An attacker who successfully exploited the vulnerability could impersonate processes, interject cross-process communication, or interrupt system functionality. To exploit the vulnerability a locally-authenticated attacker could run a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly enforces permissions. Windows Kernel Elevation of Privilege Vulnerability –CVE-2016-3373 An elevation of privilege vulnerability exists when the Windows Kernel API improperly allows a user to access sensitive registry information. An attacker who successfully exploited the vulnerability could gain access to user account information that is not intended for the user. A locally-authenticated attacker could exploit this vulnerability by running a specially crafted application. The security update addresses the vulnerability by helping to ensure that the Windows Kernel API correctly restricts access to user account information.
• #24: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Windows Lock Screen Elevation of Privilege Vulnerability – CVE-2016-3302 An elevation of privilege vulnerability exists when Windows improperly allows web content to load from the Windows lock screen. To exploit the vulnerability, an attacker with physical access to a user’s computer could either connect to a maliciously configured WiFi hotspot or insert a mobile broadband adaptor in the user’s computer. An attacker who successfully exploited the vulnerability could potentially execute code on a user's locked computer. However, the attacker would have no way to either force a user to connect to the hotspot or control the default browser selection on the user’s computer. The security update addresses the vulnerability by correcting the behavior of the Windows lock screen to prevent unintended web content from loading.
• #25: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Windows Secure Kernel Mode Information Disclosure Vulnerability – CVE-2016-3344 An information disclosure vulnerability exists in Windows when Windows Secure Kernel Mode improperly handles objects in memory. A locally-authenticated attacker could attempt to exploit the vulnerability by running a specially crafted application on a targeted system. Note that the information disclosure vulnerability alone would not be sufficient for an attacker to compromise a system, but would have to be combined with additional vulnerabilities to further exploit the system. The security update addresses the vulnerability by correcting how Windows handles objects in memory to prevent information disclosure.
• #26: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Windows SMB Authenticated Remote Code Execution Vulnerability – CVE-2016-3345 For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating systems a remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) Server handles certain requests when an authenticated attacker sends specially crafted packets to the SMBv1 server. The vulnerability does not impact other SMB Server versions. On later operating systems an attacker who successfully exploited this vulnerability could cause the affected system to stop responding until it is manually restarted. To exploit the vulnerability an attacker would first need to authenticate to the SMBv1 Server and have permission to open files on the target server before attempting the attack. What versions of SMB are impacted by this vulnerability? This vulnerability affects only SMBv1.
• #27: Shavlik Priority: Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. User Targeted Multiple PDF Library Information Disclosure Vulnerabilities Multiple information disclosure vulnerabilities exist in the way that the Windows PDF Library handles objects in memory. An attacker who successfully exploited the vulnerabilities could obtain information to further compromise a target system. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerabilities. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerabilities. However, in all cases an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. The update addresses the vulnerabilities by correcting how certain functions handle objects in memory.
• #30: Sign up for Content Announcements: Email http://www.shavlik.com/support/xmlsubscribe/ RSS http://protect7.shavlik.com/feed/ Twitter @ShavlikXML Follow us on: Shavlik on LinkedIn Twitter @ShavlikProtect Shavlik blog -> www.shavlik.com/blog Chris Goettl on LinkedIn Twitter @ChrisGoettl Sign up for webinars or download presentations and watch playbacks: http://www.shavlik.com/webinars/