Patch Tuesday June 2016

BeyondTrust Research Team, June 15th, 2016

Patch Tuesday

This month’s Patch Tuesday brings in 16 bulletins, 5 of which are Critical. The products under the Critical Severity Rating were Internet Explorer, Edge, JScript and VBScript, Office, and DNS Server. In total there are 44 vulnerabilities that are addressed.

MS16-063 Cumulative Security Update for Internet Explorer (3163649)

As our usual first suspect, Internet Explorer is patched for multiple vulnerabilities, including a memory corruption within the browser, JScript and VBScript engine memory corruption, an XSS filter bypass, and proxy discovery fixes. Similar to last month’s Internet Explorer bulletin, this bulletin is closely tied with the JScript and VBScript engine’s bulletin MS16-069.

MS16-068 Cumulative Security Update for Microsoft Edge (3163656)

Up next, Edge is patched for a security bypass within Content Security Policy, four memory corruption vulnerabilities, an information disclosure and remote code execution vulnerability when handling specially crafted PDF files. One thing to note is that CVE-2016-3222 was publicly disclosed prior to this bulletins release, however, there are no reports of this being actively exploited.

MS16-069 Cumulative Security Update for JScript and VBScript (3163640)

As mentioned before, this bulletin is closely tied with the Internet Explorer bulletin, however this patch applies to systems running IE7 and earlier. The update addresses three memory corruption vulnerabilities caused by how the JScript and VBScript Engine handles objects in memory. Successful exploitation can allow a remote attacker to execute arbitrary code with the same user rights as the current user.

MS16-070 Security Update for Microsoft Office (3155544)

As usual, vulnerabilities in Office rear their ugly heads. The update addresses memory handling, and input validation before loading libraries. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file, so it is important to verify that the file you are opening is actually from a valid source.

MS16-071 Security Update for Microsoft Windows DNS Server (3164065)

Windows Servers that are configured as DNS servers are at risk for a vulnerability where the DNS server fails to properly handle requests. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server, and would execute with the privileges of the local account.

MS16-072 Security Update for Group Policy (3163622)

This update addresses a vulnerability that can allow network Group Policies to be configured to grant administrator privileges to standard users. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

MS16-073 Security Update for Windows Kernel-Mode Drivers (3164028)

Windows Kernel-Mode Drivers contain a two elevation of privilege vulnerabilities, caused by improper handling of objects in memory. Additionally, an information disclosure vulnerability is addressed within the Windows Virtual PCI virtual service provider, which can allow attackers to gain knowledge of sensitive memory contents to aid in successful exploitation.

MS16-074 Security Update for Microsoft Graphics Component (3164036)

ASLR (Address Space Layout Randomization) protects users from a wide variety of vulnerabilities. This security update fixes a vulnerability wherein an attacker could manipulate the Windows Graphics Component to leak information to bypass the ASLR. By bypassing the ASLR, the attacker could then take advantage of any number of vulnerabilities that could lead to remote code execution.

MS16-075 Security Update for Windows SMB Server (3164038)

Similar to MS16-074, this vulnerability doesn’t directly grant arbitrary code execution, but in conjunction with other vulnerabilities it could lead to it. An attacker would first have to log on to the system, then run a specially crafted application. Then the attacker could forward an authentication request intended for the malicious application through the SMB Server and take control of an affected system.

MS16-076 Security Update for Netlogon (3167691)

A memory corruption vulnerability exists where a domain-authenticated attacker could make a specially-crafted NetLogon request to the domain controller, granting access to the target system.

MS16-077 Security Update for WPAD (3165191)

Sometimes being backwards compatible can hurt. An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process. An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system.

MS16-078 Security Update for Windows Diagnostic Hub (3165479)

An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input, leading to an unsecure library loading behavior. The attacker could then run arbitrary code with administrator privileges.

MS16-079 Security Update for Microsoft Exchange Server (3160339)

Is your mail leaking? This update resolves multiple vulnerabilities in Microsoft Exchange Server, the most severe of which could leak information to an attacker, allowing the victim to be identified, fingerprinted, and tracked online. When combined with other vulnerabilities, this attack could be amplified.

MS16-080 Security Update for Microsoft Windows PDF (3164302)

This bulletin resolves two information disclosures and a remote code execution vulnerability within Widows PDF. Successful exploitation involves an attacker enticing victims into opening a specially crafted PDF file, leading to code execution in the context of the current user.

MS16-081 Security Update for Active Directory (3160352)

What would a Patch Tuesday be without one or two Denial of Service (DoS) vulnerabilities? An authenticated attacker could cause a DoS by creating multiple machine accounts within Active Directory. This update addresses how machine accounts are created.

MS16-082 Security Update for Microsoft Windows Search Component (3165270)

This security update fixes a memory handling error that could be manipulated by attackers. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.