In a surprise turn, according to experts, Adobe Reader bugs highlighted Patch Tuesday for July 2016, as Microsoft's...
Patch Tuesday release included only 11 total bulletins -- six of which were rated critical.
Adobe Flash vulnerabilities were the stars of last month's Patch Tuesday, and experts said Adobe Reader hadn't seen critical flaws in three months. However, Adobe's July security bulletin for Acrobat and Reader took on a total of 30 common vulnerabilities and exposures (CVEs), including critical vulnerability fixes for Adobe Acrobat DC and XI, as well as Adobe Reader DC and XI, on both Windows and Mac platforms.
According to Amol Sarwate, director of engineering and head of vulnerability research for Qualys Inc., based in Redwood City, Calif., many Adobe Reader bugs and Flash bugs fixed this month allow attackers to take complete control of a victim machine, so he recommended applying the Flash and Reader update immediately.
"Many vulnerabilities fixed by APSB16-26 allow an attacker to take complete control of the victim machine, and we recommend applying the patch for this critical issue as soon as possible," Sarwate wrote in a blog post. "This is the third Acrobat Reader fix in 2016, while the count of Adobe Flash is more than double. Adobe has also released an update for its Flash Player -- APSB16-25, which fixes 52 vulnerabilities. This update affects Windows, Mac, Linux and ChromeOS."
MS16-093 is Microsoft's Patch Tuesday bulletin that remediates critical vulnerabilities in the Adobe Flash player, as well.
Tyler Reguly, manager of the vulnerability and exposure research team at Tripwire Inc., based in Portland, Ore., said Microsoft's Patch Tuesday release was just a bit of spring cleaning, despite it being the middle of summer.
"There shouldn't be any surprises for administrators this month; the majority of the bulletins are regulars every Patch Tuesday," Reguly said. "It's like an episode of Cheers: There may be a guest star or two, but the bulletin summary is 'where everybody knows your name.'"
Topping the list for Microsoft Patch Tuesday stalwarts are the security bulletins for Internet Explorer (IE) (MS16-084), Microsoft Edge browsers (MS16-085), and JScript and VBScript engines (MS16-086), respectively. The single critical vulnerability in the VBScript engine bulletin only affects Windows Vista, so enterprises not running Vista need not worry.
The IE and Edge updates each include fixes for seven critical vulnerabilities, and Craig Young, security researcher at Tripwire, noted, "This month marks the one-year anniversary of the initial public release of Microsoft's Edge browser, which was billed as a streamlined and more secure browsing platform."
"Reviewing data from the CVE details website would indicate that Internet Explorer has had only slightly more code execution bugs compared to Edge in 2016," Young said. "This is likely a result of the large attack surface shared between the two browsers, evident by the large number of CVEs affecting both. Pure CVE count, however, is not the only metric, as ease of exploitation also must be considered to gauge whether Edge has been successful at increasing security."
One interesting guest star in Microsoft's Patch Tuesday release was a critical bulletin regarding the Windows print spooler component (MS16-087), which Microsoft said included a vulnerability that could allow remote code execution (RCE) if an attacker is able to execute a man-in-the-middle (MitM) attack on a workstation or print server, or set up a rogue print server on a target network.
According to Reguly, there hasn't been a bulletin related to the Windows print spooler in three years.
"One of the vulnerabilities listed in this bulletin, CVE-2016-3238, is rather interesting, allowing an attacker to MitM a connection and install malicious drivers during a printer installation," Reguly said. "Luckily, many enterprises will already have printers installed on their images, which should help to mitigate risk from this."
Michael Gray, vice president of technology at Thrive Networks, based in Boston, noted this bulletin also had a silver lining for enterprises with updated servers.
"MS16-086 is an update for the print spooler, which is in every version of Windows, but this specific fix is not targeted at Windows Server 2012 -- R2 or otherwise," Gray said. "What's convenient about this update is that, if you have upgraded all your servers to 2012 R2, that's one less critical update you will need to worry about."
Another familiar face, and the final critical bulletin of the month, is MS16-088, which includes security fixes for Microsoft Office. There are three critical RCE patches for Office -- all of which take on memory corruption vulnerabilities. Sarwate said these vulnerabilities could "allow an attacker to take complete control of the victim's machine and, therefore, these should be patched immediately."
The remaining important patch bulletins cover information disclosure vulnerabilities in the Windows secure kernel mode (MS16-089) and .NET Framework (MS16-091), elevation-of-privilege vulnerabilities in the Windows kernel-mode drivers (MS16-090), and security-feature-bypass vulnerabilities in the Windows kernel (MS16-092) and secure boot (MS16-094).
Gray said a noticeable trend here is the collection of kernel and secure boot updates, which he said leads him to believe "that a part of the kernel code that is common may have been exploited in different ways."
"The alerts in question, which update a feature called secure boot, are MS16-89 (Windows 10 only), MS16-092 (Windows 8.1/Server 2012/Server 2012 R2) and MS16-094 (Windows 7 only). If you put those OSes together, you have essentially all supported versions of Windows," Gray wrote in an email. "Most users are not running secure boot, which means this month's impact is decreased even further. With that being said, I would recommend installing those updates, assuming you have done some testing. Kernel updates can be risky."
Catch up on the June 2016 Patch Tuesday news.
Learn more about the risks of using Windows kernel-mode drivers in systems management.
Find out how Windows kernel exploits can kill all security.