icetray - Fotolia
Patch Tuesday for August 2016 continued the trend toward fewer bulletins from last month, with just nine bulletins in all, of which five were rated critical.
The key patches this month addressed critical browser vulnerabilities in Microsoft's Internet Explorer and Microsoft Edge, as well as in Microsoft Graphics Component, Office and a patch for a vulnerability in the Microsoft PDF Library, which "could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document."
"It stands to reason that Microsoft may have kept things simple, so as not to overshadow the release of their Windows 10 Anniversary update," said Michael Gray, vice president of technology at Thrive Networks, based in Tewksbury, Mass.
"As far as the new patches go, there are some typical remote code execution browser exploits for Internet Explorer and Edge," Gray said. "In both cases, the user running the browser needs to have administrative rights. And in business environments, I strongly recommend avoiding end-user admin rights at all costs. The benefit is worth any inconvenience it may cause. The other critical updates relating to the graphics library and PDF viewer, which was released in Windows 8, should be installed, and they appear to be low risk."
Craig Young, security researcher for Tripwire Inc.'s Vulnerability and Exposure Research Team, based in Portland, Ore., told SearchSecurity "Windows users will want to update browsers, graphics components and kernel-mode drivers as soon as possible due to the ease of exploitation Microsoft has associated with these bugs."
"Overall, it's a regular-sized Patch Tuesday, which will keep Windows desktop administrators busy," wrote Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif. "Users of Windows 10 using Microsoft Edge as the default browser should also focus on the Windows PDF Library bug, as it could allow attackers to control a victim machine by opening a malicious PDF."
Sarwate pointed to the MS16-101 bulletin as being notable for Windows networking, as it addresses vulnerabilities that allow elevation of privileges when authenticating with Microsoft's Netlogon or with Kerberos. "The Kerberos issue is triggered when Kerberos improperly handles a password-change request and falls back to NTLM Authentication as the default authentication protocol, allowing an attacker to bypass Kerberos authentication," Sarwate wrote. "The Netlogon issue is triggered when Windows Netlogon improperly establishes a secure communications channel to a domain controller."
Some bulletins of interest
Despite what seems to be a pedestrian Patch Tuesday crop of vulnerabilities, there were some curveballs included. Gray pointed to the MS16-103 bulletin, which he said "is a patch for something called Universal Outlook. This is [a] special version of Outlook designed to run in tablet mode. The only time we've seen anyone use that is by getting into it by accident. Given it has a bug and there is no companion update for regular Outlook, I would be concerned that Microsoft is using a different code base for the Universal application."
Young also found something notable this Patch Tuesday: "Buried within the Edge and IE bulletins, there is an interesting information disclosure vulnerability, which could give attackers a good bit of insight into victim PCs," he said. The vulnerability, designated CVE-2016-3329, enables attacker-controlled content to identify if specific files exist on a target's computer.
"While this is certainly not as bad as a code execution bug or an arbitrary file read issue, it does put the attacker in a unique situation to fingerprint victims and potentially identify vulnerable software on the target not generally exposed to the web browser," Young said. "This is helpful because, often times, it will be easier for an attacker to gain useful access by exploiting a media player or a document viewer, rather than the highly isolated browser sandbox. A clever attacker could then create an effective browser-based attack capable of achieving code execution outside of the browser's sandbox, but without having to work through a sandbox escape."
Windows 10 Anniversary update
With Patch Tuesday's lighter load this month, system administrators can breathe a bit easier while grappling with the Windows 10 Anniversary update. Last week's OS upgrade is still having an effect, with reports of system lockups and slowdown, according to Gray, who said the problems seem to be with software that is not compatible with the latest Windows update.
"We saw with last year's Windows 10 upgrade that the process would simply uninstall certain software that was not compatible. So, perhaps Microsoft was trying to play a bit nicer with Windows 10 and security software, but it may have bitten them in the end," Gray said. "If you have a gaming PC that you use with your Xbox, I wouldn't be surprised if this is a great update for you. Any business users, I would take caution and, as always, test the update on spare machines as much as possible."
Find out more about what happens when Microsoft patches go bad.
Learn more about mitigating Kerberos vulnerabilities in Windows.