I think that we were all hoping for a “boring” Patch Tuesday for this July update cycle. With “only” 11 updates, six rated as critical and the remaining patches rated as important, this month does provide some relief from the very large releases seen in the past few months.
However, although there are no “zero-day” vulnerabilities reported so far from Microsoft, there is an urgent “Patch Now” update in the form of MS16-093, wrapping a huge update from Adobe that resolves a whopping 52 issues in Adobe Flash Player. In addition, we all need to deploy MS16-087 as a priority due to a relatively easily exploitable drive-by attack on the Windows Spooler print sub-system.
Shavlik has published a great infographic of this month's patch release which can be found here. Next month we will see the release of the Windows 10 Anniversary update (expected August 2nd) and with it a number of Windows 10 specific updates.
MS16-084 — Critical
The first update rated as critical for July Patch Tuesday is MS16-084 -- it attempts to address 15 vulnerabilities in Microsoft Internet Explorer (IE) related to memory corruption and JScript and VBScript handling issues. This update, and the following two, essentially address similar issues. There do not appear to be any zero-day IE vulnerabilities for this Patch Tuesday release cycle, so add this update to your standard patch deployment effort.
MS16-085 — Critical
MS16-085 is the Edge update paired with IE update MS16-084, which attempts to resolve another 13 privately reported vulnerabilities, most relating to memory corruption issues and security vulnerabilities in JScript and VBScript. Add this update to your standard desktop deployment effort.
MS16-086 — Critical
The third critical update for this Patch Tuesday release cycle is MS16-086 which addresses a single privately reported vulnerability in the core Windows components: JScript and VBScript. This update only applies to Windows Vista and Server 2008, and so you are unlikely to have to deploy it as you will have already resolved some of the key vulnerabilities in these two venerable scripting languages with this month’s patches to IE and Microsoft Edge. Add this update to your standard desktop deployment effort.
MS16-087 — Critical
MS16-087 is a critical update to the Windows Print Spooler sub-system. If you have ever had problems printing on a Windows system over the past decade or so, one of the primary remedies was to “stop and then restart” this print spooler service, which was faster than a reboot.
This month’s patch addresses a man-in-the-middle attack which could allow a remote attacker complete control of the target system, by loading malicious code at the same time as the printer driver. This was made possible because Microsoft relaxed installation security controls (UAC) so that neither administrator level access or a digitally signed driver was required to load printer drivers and their associated software (EXE’s and DLL’s). If your printer is connected to the network, it could be a security “watering-hole” for groups of attackers. This is a "Patch Now" update from Microsoft.
MS16-088 — Critical
MS16-088 is this month’s update to Microsoft Office. This patch addresses seven privately reported memory corruption vulnerabilities, which if left unaddressed could lead to a remote code execution scenario. One of the primary culprits in this collection of vulnerabilities relates to how Microsoft handles RTF document files. Microsoft has offered a mitigation approach of blocking Office from loading these RTF files.
I suggest stronger medicine: backup and convert all of your legacy RTF files to PDF. Please note that this update will affect all Microsoft servers (running Web Apps and SharePoint) and so you will need to manage both desktop and server patch deployment efforts.
MS16-093 — Critical
MS16-093 is the Microsoft wrapper to the enormous security patch APSB16-25 from Adobe that resolves 52 security issues in Adobe Flash Player that could lead to an attacker taking complete control of the compromised system. There are several mitigating factors that could reduce the risk as all Windows Servers will run Flash content (any ActiveX controls) in restricted mode and Windows 8 and later systems will only load Flash content that has been approved (white listed) using the Microsoft Compatibility View list. These vulnerabilities are a major concern. Please deploy MS16-093 immediately. And, please could everyone stop using Flash.
MS16-089 — Important
MS16-089 is one of the early Windows-10-only updates from Microsoft and the first patch rated as important for this Patch Tuesday. This patch addresses a single privately reported issue that could lead to information disclosure. Microsoft has not published any workarounds or mitigating factors, so you can deploy this patch with all of the other Windows 10 cumulative updates.
MS16-090 — Important
MS16-090 is an update to the Windows Kernel Mode driver sub-system that addresses six privately reported vulnerabilities that left unpatched could led to an elevation of privilege scenario on a compromised system. The published exploitability ratings for these vulnerabilities are relatively high. However, updating the kernel has caused a number of issues in the past. Add this to your standard deployment schedule, but test all core workstation builds before deployment.
MS16-091 — Important
MS16-091 is an important update from Microsoft for all currently supported versions of the Microsoft .NET development framework. The single, privately reported vulnerability that Microsoft has attempted to resolve in this update could lead to an information disclosure event through the improper parsing of an attacker’s specially crafted XML file included in a web application. Add this update to your standard patch deployment effort.
MS16-092 — Important
MS16-092 is an update to the Windows kernel (not to be confused with the kernel driver mode update in MS16-090) that addresses two privately reported lower-risk vulnerabilities that affect all currently supported versions of Windows desktop and server platforms. Add this update to your standard patch effort.
MS16-094 — Important
MS16-094 addresses a single reported vulnerability in the Windows Secure Boot system that if left unpatched could let an attacker bypass security restrictions on a compromised machine. This exploit has a lower risk rating as the attacker would require physical access to the machine and also have administrative privileges. Add this update to your standard patch effort.