This August Patch Tuesday from Microsoft brings a relatively light series of updates, with five rated as critical and the remaining four rated as important.
Aside from the relatively few updates from Microsoft, there are no zero-day or publicly disclosed vulnerabilities this month. Microsoft has also chosen to update a number of relatively minor components this month with the exception of MS16-098 (another kernel update). Later this month, we will add some additional in-depth analysis to this patch update cycle including potential patch deployment clashes with common applications and a risk assessment for deployment desktop and server updates.
Shavlik is also covering the risk assessment of deploying Microsoft patches and they have created a nice infographic for August found here.
MS16-095 — Critical
The first update rated as critical for this August Microsoft Patch Tuesday follows the standard release cycle pattern with an update to Microsoft Internet Explorer (IE). MS16-095 attempts to resolve nine privately reported memory corruption issues that if left un-patched could lead to a remote code execution scenario. This is a pretty standard “technical hygiene” update from Microsoft that does not have to address any urgent “zero-day” vulnerabilities. As is this case for these types of updates, a full application “binaries” refresh will be included in this update, which applies to all currently supported versions of IE. Add this update to your standard desktop deployment effort.
MS16-096 — Critical
MS16-097 — Critical
MS16-097 follows a long pedigree of Microsoft updates that attempt to resolve issues in how Windows platforms handle embedded fonts. This month’s update attempts to resolve three vulnerabilities that following successful web-page for file-based attacks could lead to the execution of arbitrary code on a non-patched or compromised system. As this patch affects all Windows (desktop and server) platform, Microsoft Office and Lync, please add this update to your prioritised patch deployment effort.
MS16-099 — Critical
MS16-099 is a huge update for Microsoft that attempts to resolve seven high risk exploits that at worst could lead to a remote code execution scenario. In addition to numerous security patches, this update also includes a significant feature level update to several versions of Microsoft Outlook (Outlook 2007, 2013, 2106 - both 32 and 64-bit editions). It also looks like attackers could use three approaches to compromise a system including: specially crafted web pages, special files and emails. Make this update a priority for your patch deployment effort.
MS16-102 — Critical
MS16-0102 addresses a single (as of yet, unrated by Microsoft and privately reported) vulnerability in the built-in PDF viewer in Windows 8.x and Windows 10 systems. This update is linked to the July cumulative update for Windows 10 that included an update to the PDF handler as well. If a user opens a specially crafted PDF file, it appears that with deploying this update or employing several registry related security restrictions, a remote code execution scenario will occur on the compromised system. Add this update to your priority patch deployment effort.
MS16-098 — Important
MS16-098 attempts to address four serious (but privately reported) vulnerabilities in the Windows kernel mode drivers that if left unpatched could lead to an elevation of privilege scenario. This is a tricky update with a long history of past issues and problems with these types of patches. I would deploy this update to IT first, and then wait a little while.
MS16-100 — Important
MS16-100 represents the perfect summer update. It’s a simple, single fix to a low profile Windows component, with low deployment risk. Add this update to your standard patch deployment effort.
MS16-101 — Important
MS16-101 addresses two privately reported vulnerabilities in the Windows authentication engine. Both vulnerabilities are relatively tough to exploit and require physical access to domain-joined systems. However, as this update affects all currently supported versions of both desktop and server systems from Microsoft, it needs to be added to your standard update deployment effort.
MS16-103 — Important
MS16-103 is the final update for this August that attempts to address a difficult to exploit, privately reported vulnerability in a relatively minor component of Windows 10 desktop systems. Add to your standard Windows 10 deployment effort.
This article is published as part of the IDG Contributor Network. Want to Join?