Article by Debra Littlejohn Shinder
Microsoft seems to have a thing for "Sweet 16" lately, as once again they've released sixteen updates for this month's Patch Tuesday, ensuring that IT professionals will be kept busy sorting through them, testing them and getting them applied. They say "when you're hot, you're hot," and those of us in Texas and other southern states are feeling the heat as we scramble to roll out yet another big slate of patches.
At least I had a break before the deluge, spending the first week of June in Alaska where I saw a myriad of humpback whales, eagles and bears, took a helicopter to the top of the glacier and went dog sledding with a professional musher who trains dogs to race in the Iditarod. After that experience – during which I had nary a thought of remote code execution or elevation of privilege – it wasn't easy to come back to reality where I have to worry daily about what zero day vulnerabilities may be lurking in my software.
But, all good things must come to an end, and it's time to get back to business. This month's basket full of patches includes the usual cumulative updates for IE and Edge, as well as an update for scripting engines and one for Microsoft Office. Other than an Exchange Server update, the rest are for Windows. The good news is that only five of the updates are critical; the rest are rated important. Those with eyes as sharp as those of the eagles I admired in Ketchikan might notice that the numbers skip from MS16-063 to 068; we covered the intervening numbers last month.
Let's take a look at each of these updates in a little more detail, and you can find the full summary with links to each security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-jun
Critical
MS16-063 (KB 3163649) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn't apply to server core installations that don't run a web browser.
The update addresses 10 vulnerabilities, nine of which are capable of remote code execution exploit; the remaining vulnerability is an elevation of privilege issue. Eight are memory corruption vulnerabilities while there is also an XSS filter vulnerability along with the EoP vulnerability. There are published workarounds for the scripting engine memory corruption vulnerabilities if you're unable to install the patch; the instructions are published in the security bulletin at https://technet.microsoft.com/library/security/MS16-063
The update fixes the problems by changing how IE handles objects in memory and how the Jscript and VBScript engines handle objects in memory, changes the way IE XSS Filter validates JavaScript and corrects the way Windows handles proxy discovery.
MS16-068 (KB 3163656) This is the usual monthly cumulative update for the Edge web browser running on Windows 10. It is rated critical for all editions of Windows 10 and moderate on Windows servers.
The update addresses eight vulnerabilities, which include five critical remote code execution issues. The same scripting engine memory corruption vulnerabilities discussed above are included here, as well as a security feature bypass and a pair of information disclosure vulnerabilities that are caused by the way Windows parses .pdf files.
The update fixes the problems by changing the way Edge's Content Security Policy (CSP) validates documents, the way the Chakra JavaScript engine handles objects in memory and the way Windows parses .pdf files.
MS16-069 (KB 3163640) This is a cumulative security update for the JScript and VBScript scripting engines in Windows Vista and Server 2008 including the server core installation. It does not apply to later versions of Windows. It is rated critical on the Vista client and moderate on Windows Server.
The update addresses three remote code execution vulnerabilities in versions 5.7 and 5.8 of VBScript and 5.8 of JScript, which are caused by the way the scripting engines handle objects in memory. There are workarounds for these memory corruption vulnerabilities, the details and instructions for which are published in the security bulletin at https://technet.microsoft.com/library/security/MS16-069.
The update fixes the problems by changing the way the scripting engine handles objects in memory.
MS16-070 (KB 3163610) This is a security update for Microsoft Office 2007, 2010, 2013, 2013 RT, 2011 for Mac, and 2016 for both Windows and Mac. It also affects the Office Compatibility Pack SP3, Word Viewer and Visio Viewer versions 2007 and 2010, as well as SharePoint Server 2010 and 2013, Office Web Apps 2010 and 2013 and Office Online Server. It is rated critical.
The update addresses four vulnerabilities, two memory corruption issues, an OLE DLL side loading vulnerability caused by improper validation of input before loading libraries, and an information disclosure vulnerability caused by improper disclosure of the contents of memory. There is a workaround for the last one, the details and instructions for which are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/mt732657.aspx
The update fixes the problems by changing the way Office handles objects in memory, the way certain Windows functions handle objects in memory and the way Windows validates input before loading libraries.
MS16-071 (KB 3164065) This is an update for the Windows DNS Server component in Windows Server 2012 and 2012 R2. Other versions of Windows Server are not affected, nor are the client operating systems. It is rated critical for the affected server OS. Only servers that are configured to be DNS servers are impacted, but this also applies to Windows Server Technical Preview 5.
The update addresses a single use-after-free vulnerability in the DNS server that could be exploited to achieve remote code execution by running arbitrary code in the context of the Local System account.
The update fixes the problem by changing the way Windows DNS handles DNS requests.
Important
MS16-072 (KB 3163622) This is an update for Group Policy in Windows that applies to all supported releases of Windows client and server, including Windows RT and the server core installation of Windows Server 2008/2008 R2 and 2012/2012 R2. Windows Server Technical Preview 5 is also affected. It is rated important for all. Windows 8 and later client machines and Windows Server 2012 and later servers that are joined to a domain are protected from this vulnerability.
The update addresses a single elevation of privilege vulnerability in the Group Policy component of Windows that could be exploited to launch a man-in-the-middle attack on data as it moves between a domain controller and the targeted computer.
The update fixes the problem by enforcing Kerberos authentication for certain calls for LDAP.
MS16-073 (KB 3164028) This is an update for the Windows Kernel-Mode Drivers that applies to all supported versions of the Windows client and server operating system, including Windows RT and the server core installation of Windows Server 2008/2008 R2 and 2012/2012 R2. Windows Server Technical Preview 5 is also affected. It is rated important for all.
The update addresses three vulnerabilities, two of which are elevation of privilege issues by which an attacker could run arbitrary code in kernel mode (but only if able to log on to the targeted system). The other is a Virtual PCI information disclosure issue caused by VPCI's failure to properly handle uninitialized memory. Again, the attacker would have to be able to log on in order to exploit the vulnerability.
The update fixes the problem by changing both the way the kernel-mode driver handles objects in memory and the way VPCI handles memory.
MS16-074 (KB 3164036) This is an update for the Microsoft Graphics component (GDI32.DLL). It affects all supported versions of Windows client and server operating systems, including Windows RT and the server core installation of Windows Server 2008/2008 R2 and 2012/2012 R2. Windows Server Technical Preview 5 is also affected. It is rated important for all.
The update addresses three separate vulnerabilities, one of which is an information disclosure issue, and two of which are elevation of privilege issues. Both of the EoP issues are related to improper handling of objects in memory, one in Windows and one in Adobe Type Manager Font Driver (ATMFD.dll). The attacker would have to be able to log on in order to exploit either vulnerability.
The update fixes the problem by changing the way GDI32.dll handles objects in memory, the way the Windows kernel-mode driver (Win32k.sys) handles objects in memory and the way ATMFD.dll handles objects in memory.
MS16-075 (KB 3164038) This is an update for the Windows Server Message Block Server component. It affects all supported versions of Windows client and server operating systems, including RT and the server core installation of Windows Server 2008/2008 R2 and 2012/2012 R2. It is rated important for all.
The update addresses a single vulnerability in the SMB that could be exploited by forwarding an authentication request intended for another service running on the same computer, which could lead to execution of arbitrary code with elevated permissions. However, the attacker would have to be able to log on to the system locally with valid logon credentials. There is a published workaround, for which the details and instructions are published in the security bulletin at https://technet.microsoft.com/library/security/MS16-075
The update fixes the problem by changing the way the Windows SMB Server handles credential-forwarding requests.
MS16-076 (KB 3167691) This is an update for the Netlogon service in Windows. It applies to all supported versions of Windows Server operating system – 2008/2008 R2 and 2012/2012 R2 – including server core installations. It is rated important for all.
The update addresses a single memory corruption vulnerability that can be exploited to accomplish remote code execution, but the attacker would have to be able to authenticate to the Windows domain with valid domain credentials. There are no identified mitigations or workarounds published.
The update fixes the problem by changing the way Windows handles objects in memory.
MS16-077 (KB 3165191) This is an update for the Web Proxy Auto Discovery (WPAD) protocol in Windows. It applies to all supported versions of the Windows client and server operating systems, including RT and the server core installations. It is rated important for all.
The update addresses two separate vulnerabilities, both of which are elevation of privilege issues. There are workarounds for both, the details and instructions for which are published in the security bulletin at https://technet.microsoft.com/library/security/MS16-077.
The update fixes the problem by changing the way Windows handles proxy discovery and automatic WPAD proxy detection.
MS16-078 (KB 3165479) This is an update for the Windows Diagnostic Hub in Windows 10. It applies only to Windows 10 (including version 1511) for both 32 and 64 bit systems. It is rated important.
The update addresses a single elevation of privilege vulnerability in the Windows Diagnostic Hub Standard Collector Service caused by a failure to properly sanitize input, which can result in an unsecure library loading. In order to exploit it, the attacker would have to be able to log onto the system.
The update fixes the problem by changing the way the WDHSCS sanitizes input.
MS16-079 (KB 3160339) This is an update for Microsoft Exchange Server. It applies to all supported versions of Exchange: 2007, 2010, 2013 and 2016. It is rated important for all.
This update addresses three elevation of privilege vulnerabilities in third party code, Oracle Outside in libraries, for which Microsoft licenses a custom implementation. This code is included in Exchange Server. The update also addresses an information disclosure vulnerability by which the way Exchange parses HTML messages creates a bypass of the email filter. This could be exploited to identify and track a user online when the user views messages via OWA.
The update fixes the problem by changing the way Exchange parses HTML messages.
MS16-080 (KB 3164302) This is an update for Windows PDF. It applies only to Windows 8.1, Windows 10 and Server 2012/2012 R2. It is rated important for all.
The update addresses three vulnerabilities that can be exploited when a user opens a .pdf file in Windows. Two are information disclosure issues that an attacker could use to read information in the context of the current users. The other is a remote code execution vulnerability. There are no identified mitigations or workarounds for any of them.
The update fixes the problems by changing the way Windows parses .pdf files.
MS16-081 (KB 3160352) This is an update for Windows Active Directory in Windows Server 2008 R2 and 2012/2012 R2, including the server core installation. Windows Server 2016 Technical Preview 5 is also affected. It is rated important for all.
The update addresses a single vulnerability that occurs when an authenticated user creates multiple machine accounts. In order to exploit the vulnerability, the attacker must have valid credentials for an account that has privileges to join new machines to the domain. In this case, the attacker can create a denial of service attack and cause the Active Directory to become non-responsive. There are no identified mitigations or workarounds.
The update fixes the problem by changing the way machine accounts are created.
MS16-082 (KB 3165270) This is an update for the Windows Search component. It applies to Windows 7, 8.1, RT 8.1 and 10, as well as Server 2008 R2 and 2012/2012 R2, including the server core installation. Windows Server 2016 Technical Preview 5 is also affected. It is rated important for all.
The update addresses a single vulnerability in Windows Search that is caused by improper handling of objects in memory. An attacker who exploited this vulnerability could create a denial of service condition by degrading the performance of the server and rendering it unavailable. There are no identified mitigations or workarounds.
The update fixes the problem by changing the way the Windows Search component handles objects in memory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.