Microsoft traditionally has a large patch release for September. This September's Patch Tuesday is no exception with 14 updates, seven rated as critical, seven rated as important, altogether resolving a total of 50 reported vulnerabilities.
Unlike last month, September brings a zero-day vulnerability with the update MS16-104. Unfortunately, this patch to IE also includes a publicly reported security issue. So this month we have a number of Microsoft updates on the "Patch Now" list including: MS16-104, MS16-115, MS16-116 and MS16-117. And the update to the Windows kernel with MS16-111 may make some administrators pause for a little more testing due to the core system files updated.
Next month, Microsoft's Patch Tuesday will change significantly for Windows 7 and Windows 8.x as all future updates will follow the Windows 10 "roll-up" or cumulative update process outlined in this Microsoft TechNet blog posting. It is possible that this "patch bundling" approach will change IT administrators' approach to risk when considering deploying patch updates. I echo Chris Goettl's thoughts here with his blog quote, "The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things don’t break when these larger bundled security updates are pushed to systems.” Shavlik has also published a handy infographic for this September Patch Tuesday here.
MS16-104 -- Critical
MS16-0104 is the first update rated critical by Microsoft for this September Patch Tuesday. This update to Internet Exploer (IE) attempts to resolve 10 privately reported vulnerabilities in the way all currently supported versions of IE handle memory, corrupt URL files and cross-origin content (also known as cross-site scripting) that could lead to a remote code execution scenario on an un-patched machine. One of these reported vulnerabilities was publicly detected (and reported to Microsoft) and so this change to IE is a "Patch Now" update for this month.
MS16-105 -- Critical
MS16-105 is the critical rated update to Microsoft's Windows 10 browser, Edge, that attempts to resolve 12 privately reported vulnerabilities that could lead to a remote code execution scenario. It looks like this update includes changes to how Edge handles PDF files, which may also link it to the Windows update MS16-115. This update to Edge does not attempt to resolve an issue that has been publicly reported (unlike the update to IE) and so can be added to your standard Windows 10 patch deployment effort.
MS16-106 -- Critical
MS16-106 attempts to resolve five privately reported vulnerabilities in the core Windows Graphics component (GDI32.DLL and Win32.sys). Most of these privately reported vulnerabilities could lead to elevation of privilege or information disclosure related security issues. We have seen numerous updates to these two files before and these reported vulnerabilities are not "super" serious. I would test this update with some line-of-business applications (try AutoCad or something as graphically heavyweight) before general deployment of this Microsoft patch.
MS16-107 -- Critical
MS16-107 addresses 13 moderate memory corruption issue in Microsoft Office and how the Microsoft click-to-run technology affects Microsoft's App-V application virtualisation technology. This a pretty large update from Microsoft that affects all currently supported versions of Office for Windows and Office for Mac.
MS16-108 -- Critical
MS16-108 is my favorite kind of update from Microsoft. This Microsoft patch addresses three low level (relatively low risk) vulnerabilities in a single product with a focused and select number of files to update. Very tidy, and should be low risk to deploy. Add this update to your standard deployment effort.
MS16-116 -- Critical
MS16-116 attempts to address a single reported vulnerability in the scripting component of the now aging Windows component (OLE). Microsoft OLE (Object Linking and Embedding) is a key (and powerful) component of the Windows user sub-system and due to many legacy issues with different versions caused numerous compatibility and system crashes. With modern systems (Windows 7, 8.x and 10) we have not seen many issues with this core Windows technology. This update addresses a single low risk exploit, with a single file level update (OLEAUT32.DLL), but there is a catch. To fully resolve this issue, this patch must be paired with the IE patch MS16-104. Add this update to your "Patch Now" list due to the link with IE.
MS16-117 -- Critical
MS16-117 attempts to resolve 29 memory corruption and "free after use" vulnerabilities in Adobe Flash Player with a priority 1 update (APSB16-29). This update is very similar in scope and risk to previous Microsoft and Adobe paired updates and not surprisingly this patch is a direct update to MS16-093. Microsoft (amusingly) offers the following mitigation advice, "Disable Adobe Flash" and more generally advises users to disable ActiveX controls. Add this to your "Patch Now" list of updates for September.
MS16-109 -- Important
MS16-109 addresses a single, hard to exploit vulnerability in Microsoft Silverlight, where if user visits a specially crafted Silverlight website could lead to a remote code execution scenario on the un-patched system. Though Silverlight development has stopped, Microsoft will support this web development platform until 2021 (ten years after version 5 was released in 2011). Add this update to your standard deployment effort.
MS16-110 -- Important
MS16-110 addresses four reported vulnerabilities in one of Microsoft Active Directory's core components, the Directory Service Agent. Normally, this kind of update would not attract much attention. Unfortunately, this patch is an update to MS16-101 which generated a significant number of authentication issues in complex domain environments, which Microsoft referenced in the Microsoft Knowledge base article KB3178465. This patch may require some additional testing on domain controllers (especially is you use kerebos authentication components) before general deployment.
MS16-111 -- Important
MS16-111 addresses five privately reported vulnerabilities in the Windows kernel. This update contains a number of updates to key TrueType fonts (TTF) and a more serious change to three core system files: NTDLL.DLL, NTOSKRNL.EXE and KRNLPROV.DLL. This patch is the latest revision to numerous previous patches, including August's update MS16-101 (mentioned in MS16-110). It may be best to wait for the next week with the next round of security updates from Microsoft before general deployment.
MS16-112 -- Important
MS16-112 addresses a single, privately reported vulnerability in the Windows Lock Screen component, that left un-patched could lead to a elevation of privilege scenario. This is a pretty discrete patch from Microsoft with a lower risk rating. Add this update to your standard patch deployment effort.
MS16-113 -- Important
MS16-113 addresses a single privately reported vulnerability in the Windows Secure Kernel Mode component and like the previous patch to this core Windows component (MS16-089) only applies to Windows 10. This patch will be included in this month's cumulative roll-up of patches for Windows 10 systems and therefore deployed as a single unit.
MS16-114 -- Important
MS16-114 addresses a single, privately reported vulnerability in the Microsoft SMB Server component. This update changes a few core files in the SMB Server component to resolve a relatively low risk exploit. Add this update to your standard patch deployment effort.
MS16-115 -- Important
MS16-115 addresses two privately reported vulnerabilities in the Windows PDF handler that could lead to an information disclosure security scenario. This patch is an update to a previous Microsoft patch (MS16-102 was released and subsequently updated in August 2016). Normally, this update would be added to the standard patch deployment list. However, after examining the patch manifest, this update should be paired and deployed with the IE update MS16-104. So, Add this patch to your "Patch Now" list.