Microsoft released its October 2016 Patch Tuesday fixes today in a small set of just 10 bulletins, half of which...
are rated critical. All five critical bulletins in this month's Patch Tuesday could result in remote code execution, if exploited.
October's Patch Tuesday also marks the first time Microsoft pushed out fixes under the new monthly rollup structure it claims will be simpler, but many said it would lead to a loss of control for administrators.
Amol Sarwate, director of vulnerability labs at Qualys Inc., based in Redwood City, Calif., attempted to describe the new setup as simply as possible in a blog post. He said the second Tuesday of the month would remain Patch Tuesday, and the release a user receives would depend on the server used to access the rollup. Microsoft is now referring to Patch Tuesday updates as a "B week" update.
Under the new structure, enterprise users get a security-only update rollup from "Windows Server Update Services, where it can be consumed by other tools, like ConfigMgr and the Windows Update Catalog." Consumer PCs, which get updated via Windows Update, get that same security rollup, as well as nonsecurity fixes, and a preview of those nonsecurity fixes will be released for testing on the third Thursday of the month -- now also known as a "C week" update.
However, Sarwate warned, with the rollup, there is "no way to uninstall a specific patch" if an enterprise runs into issues.
Zero-day flaws abound
Craig Young, cybersecurity researcher for Tripwire Inc., based in Portland, Ore., said, "This month's bulletins have a striking deviation from most recent Patch Tuesdays in terms of the number of readily exploitable bugs and bugs where exploitation has been detected."
"All of the critical bugs across Microsoft Internet Explorer and Microsoft Edge are either already being exploited or are likely candidates for exploitation in the very near future. This is in contrast to a downward trend I've been noting for several months, where it has seemed that the overall number of readily exploitable code-execution bugs had been in decline," Young said. "The September bulletin, for example, had just nine highly exploitable code-execution bugs, compared to this month, where there are quite a few more than that in the first two bulletins alone. It is unclear if there is any rhyme or reason to this change."
Sarwate ranked MS16-120 as the highest-priority bulletin for enterprises because it includes a fix for a zero-day flaw (CVE-2016-3393) in the Microsoft Graphics component that could allow "attackers to take complete control of the victim machine if the victim views a malicious webpage."
Tyler Reguly, manager of security research at Tripwire, said this bulletin was one of a "large number of complex bulletins" this month.
"MS16-120 could, depending on software installed, still require a half-dozen patches to fully resolve vulnerable systems," Reguly told SearchSecurity. "This is one bulletin that operations teams should pay close attention to."
MS16-118 and MS16-119 are the stalwart bulletins containing cumulative patches for Internet Explorer and the Microsoft Edge browser, respectively. And MS16-127 is Microsoft's bulletin for Adobe Flash Player patches, which also includes critical remote code execution (RCE) bugs.
While there is no zero-day vulnerability in the Flash Player bulletin, there is a scripting engine RCE zero day in the Edge bulletin (CVE-2016-7189) and an information-disclosure zero day in the IE bulletin (CVE-2016-3298).
That same IE information-disclosure zero day is also patched in the MS16-126 bulletin for the Microsoft Internet Messaging API. By exploiting this zero day in this API, an attacker could "test for the presence of files on a disk."
"Yes, an attacker can only tell the presence of the file using MS16-126 and will not be able to view the file," Sarwate said. "But this type of technique is used to check if additional vulnerable components are installed and then launch further attacks."
Reguly said admins have "to be aware of the difference between those operating systems that support rollups and those that don't."
"One great example of this is CVE-2016-3298, found in both MS16-118 and MS16-126," Reguly said. "In order to be fully patched on [Windows] Server 2008 and Vista, you must install two updates. On other operating systems, a single patch will suffice."
The last of the zero-day flaws is found in the bulletin for Microsoft Office, MS16-121, which itself is unusual because the bulletin only includes one patch. That patch is rated important, but Sarwate said an attacker could "take complete control of a victim's machine" by exploiting the zero-day flaw (CVE-2016-7193), sending "a malicious RTF file to the victim either as an email attachment or somehow [enticing] the victim to view it online."
"Microsoft has marked it as important and not critical because there would be a warning message or prompt before the victim opens the malicious document," Sarwate explained. "If there is no warning message, then Microsoft considers it critical."
MS16-122 is the final critical bulletin, tackling issues in Microsoft Video Control, which could allow for remote code execution if an attacker convinces a user either to open a specially crafted file or program.
Rounding out the security rollups are MS16-123, MS16-124 and MS16-125, which all target escalation-of-privilege flaws in Windows kernel-mode drivers, Windows Registry and Diagnostics Hub, respectively.
Catch up on the September 2016 Patch Tuesday news.
Learn more about how the LinkedIn acquisition could boost Microsoft's streaming video.