Third-party coverage for the August Patch Tuesday is pretty light. But just because we have no releases from Adobe, Google, Apple or Mozilla doesn’t mean there is nothing to worry about. Last week Google Chrome and Mozilla Firefox released security updates. Mozilla addressed four critical vulnerabilities in Firefox 48 and Chrome resolved four high vulnerabilities (their critical equivalent) in Chrome 52.
Microsoft has released nine bulletins this month. Five are rated as critical and four as important. There are no public disclosures or exploits in the wild this month! Also, for those of you looking at Windows 10 1607, you may want to hold off for a little bit. There are a lot of issues circulating because systems did not successfully upgrade, and the recovery options are not spectacular.
Let’s take a closer look at the five critical bulletins this month. All five include fixes for user targeted vulnerabilities and many of them could be reduced in impact if the user is running as less than a full administrator. User-targeted vulnerabilities are easier for an attacker to exploit as they only have to convince a user to click on specially crafted content; it is an easy and quick way for them to gain entry to your network. Understanding which bulletins include vulnerabilities that are user targeted can help you prioritize where to focus your attention first. Endpoints are the entry point for many forms of attacks, from APTs to Ransomware. Plugging as many user-targeted vulnerabilities on the endpoints is a good practice to reduce entry points to your network.
The Five Critical Bulletins
MS16-095 is a cumulative update for Internet Explorer. This bulletin is rated critical and resolves nine vulnerabilities, most of which are user targeted.
MS16-096 is a cumulative update for Edge. This bulletin is rated as critical and resolves 10 vulnerabilities, most of which are user targeted.
MS16-097 resolves three vulnerabilities in Microsoft Graphics Component. The bulletin is rated as critical and affects both Windows and Office. In Office, the Preview Pane is an attack vector for these three vulnerabilities, so an attacker does not even need to convince a user to click on content if the preview is enabled.
MS16-099 resolves seven vulnerabilities in Microsoft Office. This bulletin is rated as critical and one of the resolved vulnerabilities is exploitable through the Preview Pane.
MS16-102 is rated as critical and resolves one vulnerability in Microsoft PDF. This vulnerability is user targeted. If you are using the Edge browser on Windows 10 it is possible to exploit this vulnerability simply by visiting a website with specially crafted PDF content. On all other OS versions, the attacker would need to convince users to click on the specially crafted content because Internet Explorer does not render PDF content automatically.