The September 2016 Patch Tuesday release from Microsoft includes 14 total bulletins, seven of which were rated...
critical, but six of those bulletins highlight issues of browser security in various forms.
In September's Patch Tuesday release, experts said MS16-104 and MS16-105 are standard bulletins for Microsoft's Internet Explorer and Edge browsers, respectively, and should be prioritized because they include patches for remote code execution (RCE) vulnerabilities. But these bulletins do not stand alone, because the web browser is a popular attack vector.
Amol Sarwate, director of Vulnerability Labs at Qualys, Inc., noted that MS16-106, for the Microsoft Graphics Component; MS16-109, for Silverlight; and MS16-116, for the VBScript Scripting Engine, each remediate critical RCE flaws that can be exploited by coercing a victim to visit a malicious website. Additionally, MS16-117 contains critical fixes for Adobe Flash libraries contained in Internet Explorer 10 and 11 and Microsoft Edge.
Lane Thames, security research and software development engineer at Tripwire, said enterprises should note MS16-116.
"The catch here is that the vulnerability, identified by CVE-2016-3375, is not fully resolved until the Internet Explorer security updates in MS16-104 are applied, he said"
MS16-107 includes critical patches for Microsoft Office and SharePoint to resolve a total of 13 vulnerabilities. Chris Goettl, product manager with Shavlik Technologies LLC, said IT should note this bulletin includes "all versions of Office, Office Viewers [and] SharePoint versions, including SharePoint 2007."
"You may see this show up on machines more than once depending on which products and viewers are on each system," Goettl said. "This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management."
The final critical bulletin in September's Patch Tuesday is MS16-108, which handles vulnerabilities in Microsoft Exchange Server. However, the most severe flaw could allow remote code execution in some Oracle Outside libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.
Yet Michael Gray, vice president of technology at Thrive Networks, Inc., said the risk of this vulnerability would be mitigated if an enterprise moved to the cloud.
"At this point, the number of enterprises running Microsoft Exchange on premises is dwindling, as many have moved to Office 365. If you are on Office 365, it's assumed that Microsoft has already rolled this patch out, and you can ignore this patch," Goettl said. "If you are still running Exchange on premises, this update should be installed soon. However, after installation, it's worth moving your mail to the cloud."
Thames saw a trend regarding attack vectors and MS16-115, an update to Microsoft's PDF Library.
"PDF has long been a favorite for cyberattackers and criminals. A new trend to notice is Microsoft Windows' PDF Library appearing more and more often as a common Patch Tuesday bulletin," Thames said. "Today, Microsoft is releasing MS16-115 as a security update for its PDF Library, which resolves two information disclosure vulnerabilities. This new trend can be seen by the following sequence of bulletins: MS16-012, MS16-068, MS16-080, MS16-102, MS16-105 and MS16-115. This is a collection of security bulletins introduced this year for various vulnerabilities related to PDF in Windows. "Administrators should ensure that critical systems, such as servers or other machines that contain sensitive data, do not have these components installed if it is not needed," he said.
Rounding out the rest of the September Patch Tuesday are important bulletins MS16-110 and MS16-114, which fix RCE flaws in Windows and SMBv1 Server; MS16-111 and MS16-112, which resolve elevation of privilege vulnerabilities in the Windows kernel and Windows lock screen; and MS16-113, which handles an information disclosure issue in the Windows Secure Kernel.
Overall, Craig Young, cybersecurity researcher for Tripwire, said he noticed a positive trend in Microsoft's security bulletins.
"This month, Microsoft has indicated that there are only nine vulnerabilities rated as 'exploitation likely,' which can result in code execution, with all but two of these CVEs existing within browser code. As a point of comparison, there has been a general gradual decline in the number of easily exploited Microsoft bugs over time, and even just looking at the past three months, the bulletins averaged having twice as many easily exploited vulnerabilities," Young said. "This trend is even more interesting if we look back at the September 2015 bulletin, when there were roughly three times as many vulnerabilities with the 'exploitation likely' rating."
Catch up on the August 2016 Patch Tuesday news
Learn more about the advantages, disadvantages and surprises of Office 365
Find out how to spot and prevent emerging PDF attacks