October's change of season brings a fundamental change to how Microsoft presents and delivers updates to Windows 7 and 8.x systems. As of this month, Microsoft will now follow the Windows 10 cumulative update model for all currently supported versions of Windows platforms -- including Windows 7 and 8.x systems. You can read more about this major change to Patch Tuesday on the Microsoft’s TechNet blog found here. This is a big departure from a more granular approach using individual updates and patches. Microsoft will now "roll-up” security, browser and system component (.NET) into aggregate patches.
This month Microsoft has released ten updates with five rated as critical, four rated as important and one update with a lower security rating of moderate. This release cycle includes several “Patch Now” updates for IE, Edge, Adobe Flash Player and a small component of Microsoft Office. All of these patches will require a restart.
As well as producing their usual helpful Patch Tuesday infographic, Shavlik’s blog includes a very insightful interview between Chris Goettl from Shavlik and Phil Richards, the CSO of LANDesk, on the change in Microsoft’s service model.
MS16-118 — Critical
Given all the recent changes by Microsoft in how we will manage patches and updates in the future, we start this October Patch Tuesday with a critical update to Microsoft Internet Explorer with MS16-118. This update to Microsoft’s now aging browser attempts to resolve 11 security vulnerabilities relating to memory corruption and scripting engine issues which at worst could lead to a remote code execution scenario. Unfortunately, at least one of these memory related security issues has been exploited and reported back to Microsoft, making this update a “Patch Now” update.
MS16-119 — Critical
MS16-119 is fairly substantial update to Microsoft's new “evergreen” browser for Windows 10, which attempts to resolve seventeen memory, name space handling and scripting issues in Microsoft Edge. Unfortunately, like IE, this month’s October update for Microsoft Edge includes a fix for a recently detected publicly released exploit which makes this update for all supported Windows 10 platforms a “Patch Now” update as well.
MS16-120 — Critical
MS16-120 does not pose the same level of urgency as this month’s updates to IE and Edge but it does cover a lot of territory, with updates to two core components of the Windows platform: the Win32 and GDI graphics components. Microsoft has advised that all versions of Office, Lync, Silverlight and even the .NET framework are affected by the potential for a remote code execution scenario on all supported Windows (desktop and server) platforms. This is a patch that will have a large potential impact on many layers of the application stack. It needs to be first in line for application testing and may need some time before general deployment.
MS16-122 — Critical
MS16-122 addresses a single privately reported vulnerability in the Windows video component that, left unpatched, could lead to a remote code execution scenario. This update has a much lower risk rating and a lower exposure to potential application compatibility issues. Add this update to your standard deployment schedule.
MS16-127 — Critical
MS16-127 addresses 12 “priority 1” security vulnerabilities in Adobe Flash Player that, left unpatched, could lead to a remote code execution scenario. Unlike previous Microsoft patch cycles, it appears that this Flash Player update is not intimately linked with a corresponding IE and Edge update. This update only affects Windows 8.x platforms and should be part of your “Patch Now” deployment effort.
MS16-121 — Important
MS16-121 addresses a single publicly disclosed memory corruption vulnerability in the way all currently supported versions of Microsoft Office handle RTF files. Microsoft has not provided any mitigation advice or workarounds for this issue and so we are now (unusually) adding a Microsoft Office update to the “Patch Now” list even though this update has been rated as important (not critical) by Microsoft. As a warning to home users, this update may be offered to you, even if you have not installed all the components of Microsoft Office. Even if you have a small sub-component of Office or the compatibility pack (it includes file converters) installed, you will be exposed to the vulnerability in this reported security issue.
MS16-123 — Important
MS16-123 addresses five privately reported vulnerabilities in the Windows kernel-mode component that could lead to an elevation of privilege scenario. This is a pretty hefty update that includes changes to a large number of core system files. It appears that for an attacker to successfully compromise a target system, a specially crafted executable must be run. These kinds of attacks are much more difficult these days as most systems (including modern browsers) prevent or warn against this kind of attack. Given the scope of this update, and the slightly reduced risk, stage the deployment throughout your organization.
MS16-124 — Important
MS16-124 addresses four lesser risk issues in the Windows kernel that directly affect the Windows registry. This is (again) a large update to a number of core Windows components that affects all supported versions of Windows (desktop and server) platforms. Given the reduced exploitability and the more challenging requirements of a successful attack using the registry API, this update could benefit from some testing of IT administrator and developer tools before general deployment.
MS16-125 — Important
MS16-125 addresses a single privately reported vulnerability in a Windows diagnostic component that could lead to an elevation of privilege security issue. This patch only applies to Windows 10 and so it will be included in your standard Windows 10 cumulative or “roll-up” of all other Windows updates.
MS16-126 — Moderate
MS16-126 address a single, privately reported, difficult-to-exploit vulnerability in the Microsoft IE messaging API sub-system. This is Microsoft’s lowest rating for a patch with a lower associated risk profile. Add this update to your standard deployment effort.