Patch Tuesday August 2016

BeyondTrust Research Team, August 10th, 2016

Patch Tuesday

August’s iteration of Patch Tuesday has been slightly less populated than recent months, involving only 9 bulletins. However, 5 of the 9 bulletins are Critical vulnerabilities, and the other four are rated as Important. The typical suspects are all back, as we see vulnerabilities in Edge, Internet Explorer, Secure Boot, Kernel-Mode Drivers, and Office. Some new faces involve the PDF library and Authentication Methods.

MS16-095: Cumulative Security Update for Internet Explorer (3177356)

As usual, the first product up to the plate is Internet Explorer. IE is patched this month for nine vulnerabilities consisting of five memory corruptions and four information disclosures. The memory corruption vulnerabilities, caused by IE improperly accessing objects in memory, pose the greatest risk as these could lead to remote code execution, making this bulletin critically rated.

MS16-096: Cumulative Security Update for Microsoft Edge (3177358)

Next up, Edge is patched for five memory corruption vulnerabilities, with one occurring within the Chakra JavaScript engine. Additionally, three information disclosures are resolved that could potentially aid an attacker with compromising the system further. At the time of this bulletin’s release, there were no reports of these vulnerabilities being actively exploited in the wild.

MS16-097: Security Update for Microsoft Graphics Component (3177393)

Microsoft Graphics Component returns teeming with critical vulnerabilities. The impact of these vulnerabilities could lead to remote code execution, and complete compromise of a target system. The exploit revolves around Windows font libraries improperly handling specially crafted embedded fonts. An attacker has multiple vectors of approaching this vulnerability, in a web-based attack scenario the attacker has to lure the victim to a malicious website to launch the attack, and in a file sharing attack scenario the attacker could provide a specially crafted document and convince the victim to open it. This vulnerability is a somber reminder to be mindful of your surroundings on the web and when opening unknown content.

MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466)

Kernel-Mode Drivers have once again been found to contain multiple vulnerabilities. The impact of each of these vulnerabilities is the same, resulting in elevation of privilege. As usual, the vulnerabilities exist when the drivers fail to handle objects in memory correctly. A successful exploit of this would be able to run arbitrary code in kernel mode, allowing the attacker to install programs, view or change data, and create user accounts with full privileges. In order to perform this exploit, an attacker would have to have access to the system, and then run a specially crafted application.

MS16-099: Security Update for Microsoft Office (3177451)

Office is back this month with four memory corruption vulnerabilities, which occur due to how it handles objects in memory. These issues could potentially allow an attacker to remotely execute arbitrary code, however, the context is limited to the current user. Additionally, an Information Disclosure vulnerability is resolved specifically in OneNote, which can potentially disclose memory contents.

MS16-100: Security Update for Secure Boot (3179577)

Secure Boot returns as an important bulletin this month, a vulnerability that allows for security features to be bypassed has been introduced. The exploit involves installation of a vulnerable boot manager, which has a faulty implementation of BitLocker or drive encryption. A successful exploit would result in disabling code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device, and bypass integrity validation for BitLocker and drive encryption. In order to exploit this vulnerability, an attacker would need to have administrative privilege or physical access to the target device to install an affected boot manager.

MS16-101: Security Update for Windows Authentication Methods (3178465)

This bulletin addresses two new issues discovered in Windows Authentication Methods.  Netlogon has an issue when it improperly establishes a secure communications channel with a domain controller.  The restriction is that the system must be connected to a Server 2012 or Server 2012 R2 domain controller.  The exploit would allow the attacker to run a program on a domain computer to elevate the user’s privileges.  Another issue was found in how Kerberos handles a password change request.   When the request is improperly handled, it falls back to NTLM authentication protocol.  The NTLM protocol is susceptible to man in the middle attacks.

MS16-102: Security Update for Microsoft Windows PDF Library (3182248)

A vulnerability has been found in Windows PDF Library when handling objects in memory.  If memory was corrupted, it could allow an attacker to execute arbitrary code. That code would execute in the same context as the user who opened the PDF. This could eventually allow the attacker to gain the same permissions as the victim.  If they were an administrator, then the attacker to could potentially take over the machine.  The easiest way for an attacker to exploit this is to have a website that is hosting PDF files that are crafted to exploit the flaw.

MS16-103: Security Update for ActiveSyncProvider (3182332)

An information disclosure vulnerability has been found in Outlook when it fails to establish a secure connection.  If Outlook doesn’t establish a secure connection, then an attacker could obtain the username and password.  This has been addressed by changing Outlook from disclosing usernames.