Five of the nine security bulletins released by Microsoft this Patch Tuesday are rated “critical,” including one that covers CVE-2016-3329, a vulnerability that Craig Young, security researcher with Tripwire's Vulnerability and Exposure Research Team (VERT), said could “give attackers a good bit of insight into victim PCs.”
Attacker-controlled content, he said via emailed comments to SCMagazine.com, “would actually be able to determine the existence of specific files on a victim's machine.”
While Young noted “this is certainly not as bad as a code execution bug or an arbitrary file read issue, it does put the attacker in a unique situation to fingerprint victims and potentially identify vulnerable software on the target not generally exposed to the web browser.”
That's a plus because it makes it “easier for an attacker to gain useful access by exploiting a media player or a document viewer rather than the highly isolated browser sandbox,” he said. “A clever attacker could then create an effective browser-based attack capable of achieving code execution outside of the browser's sandbox but without having to work through a sandbox escape.”
While the nine bulletins addressed 32 CVE-related issues, the release is smaller than usual.
The focus is also exclusively on desktop deployments. “It looks like IT administrators who are responsible for the datacenter machines get a break,” Rapid7 Security Research Manager Tod Beardsley said in comments emailed to SCMagazine.com. “This is not to say the server operating systems are completely unaffected, of course. For example, Windows servers running Terminal Services tend to act as both desktop and server environments.”
But, Windows server admins, by and large, “can roll out patches at a fairly leisurely pace,” he said.
Not surprisingly, the release provides fixes for Internet Explorer, Edge, Office and Adobe Flash.
“As far as the new patches go, there are some typical remote code execution browser exploits for Internet Explorer and Edge. To exploit the remote code execution flaws in IE and Edge, “the user running the browser needs to have administrative rights and in business environments I strongly recommend avoiding end user admin rights at all costs,” Michael Gray, vice president of technology at Thrive Networks, said in comments emailed to SCMagazine.com. “The benefit is worth any inconvenience it may cause. The other critical updates relating to the graphics library and PDF viewer which was released in Windows 8 should be installed and they appear to be low risk.”
He also called out the MS16-103 patch “for something called ‘Universal Outlook,'” a special version of Outlook that runs in tablet mode, as interesting. “The only time we've seen anyone use that is by getting into it by accident,” Gray said. “Given it has a bug and there is no companion update for ‘regular' Outlook, I would be concerned that Microsoft is using a different codebase for the Universal application.”
Beardsley noted that “MS16-097 fixes the way Microsoft performs its font rendering to avoid code execution.”
That patch is “a bit bigger than most” because it affected a number of Microsoft products, “as Windows itself, along with Office, Skype, Lync, and LiveMeeting all ship with their own font renderers,” he explained. “This bulletin was certainly prompted by the excellent fuzzing work published last month at Google's Project Zero, seeing as Mateusz Jurczyk is acknowledged specifically in the release notes, and he happened to have also written up Google's year-long font fuzzing effort over at the Project Zero blog.”
Beardsley also pointed to MS16-101, which fixes a pair of authentication bugs. “Skimming the title, this one gave me pause -- after all, what's better for a bad guy than an attack on the authentication system itself? However, these issues are rated as merely 'Important' because the attacker already needs to be in a privileged position to exploit them,” he said. “MS16-101 is a ‘he's calling from inside the house' kind of scenario, where the attacker is either a legitimate domain user already, or has already compromised the target domain-joined machine through some other means. In any event, the vulnerabilities only affect the local domain member workstation.”
Bobby Kuzma, CISSP, systems engineer at Core Security, noted that the privilege escalation vulnerability affects all versions of Windows, “officially back to Vista,” but it may not stop there. “Bet you a dollar that XP is vulnerable too,” he said in comments emailed to SCMagazine.com. “Interestingly, there's two separate CVEs associated with this: one for Kerberos and one for NetLogon. The NetLogon flavor seems to only impact Windows 8 and Server 2012.”
The MS16-100 update, for a SecureBoot feature bypass, ”closes a hole where an attacker with admin privileges or physical access can install a different boot manager that would in turn disable features,” Kuzma said. “And Windows Server 2016 Technical Preview 5 is impacted too.”
Gray speculated that the Microsoft deliberately kept the number of updates lower “so as not to overshadow the release of their Windows 10 Anniversary update.”
First published in SC Magazine.