October Patch Tuesday 2016
October Patch Tuesday will see some changes to how Microsoft and Adobe will be distributing updates. There is a lot of buzz regarding Microsoft’s servicing changes to pre Windows 10 systems. October Patch Tuesday is the first release under this new servicing model, which we will talk about more in a moment. There are a few changes for Adobe Flash Player starting this month that you will need to be aware of. We are expecting a Google Chrome release today and Oracle’s Quarterly CPU next week, so plan on updates for Java JRE and many other Oracle solutions.
Regarding Microsoft’s servicing model changes, Microsoft has basically consolidated all IE and OS bulletins into a single update. This will be served up in one of two ways: as a security only quality update or a security monthly quality rollup. The biggest difference between these is the security only is bundling each month’s security updates only. The rollup includes non-security fixes as well as being cumulative. I recently spoke with CSO Phil Richards about this change and he provided some good feedback as far as the challenges companies may face. In last week’s Patch Tuesday Forecast, I also talked about some recommendations on how best to choose between the security only and the rollup options.
Adobe has changed their distribution for Flash Player, so you would need to get an agreement in place with Adobe to be able to get access to the Flash Player distribution page. Today also marks the final release of Flash Player ESR. So instead of a current branch and stable branch, Adobe will just have current branch. Since they are doing fewer feature changes to Flash Player, having a single branch simplifies their release model. The new distribution page included this notification:
Oracle’s Quarterly CPU is coming next week on the 18. Oracle releases on the first month of each quarter on the Tuesday nearest to the 17, which typically falls the week after Patch Tuesday. Watch for an update next week for Java and many other Oracle products.
Google Chrome should be releasing today. The Dev channel for Chrome Desktop updated late last week which usually indicates a Chrome release on Patch Tuesday or soon after. With a Flash Player update, they will be releasing to support the latest plug-in, but likely will have some additional security fixes as well.
Let’s break down the more severe of these bulletins.
Looking at the infographic you would see that Microsoft has released 10 bulletins today — five of which are rated as critical — and there are four unique Zero Day exploits across five of the bulletins. Now there are 10 bulletins, but the actual number of deployable packages is less. There will be the security only or security rollup, which will bundle MS16-118, MS16-120, MS16-122, MS16-123, MS16-124, MS16-125 and MS16-126 together in a single installer. For systems where you have installed a newer version of .Net you will have the .Net Rollup. Skype, Lync, Office and Flash are separate updates yet. So you could have as many as seven packages to deliver to some endpoints, but most will be getting around five actual packages to test.
MS16-118 is a critical update for Internet Explorer. This bulletin resolves 11 vulnerabilities including one Exploit in the Wild (CVE-2016-3298). There are multiple vulnerabilities in this bulletin that are user targeted, meaning the attacker can convince a user to open specially crafted web content to exploit the vulnerabilities. Several of the vulnerabilities can also be mitigated if the user is running as less than a full administrator, the attacker would only gain equal rights to the user reducing the impact if exploited.
MS16-119 is a critical update for Edge browser. This bulletin resolves 13 vulnerabilities including one Exploit in the Wild (CVE-2016-7189). Many of the vulnerabilities resolved in this bulletin are user targeted. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
MS16-120 is a critical update for .Net Framework, Office, Skype for Business, Lync and Silverlight. The bulletin resolves seven vulnerabilities including one Exploit in the Wild (CVE-2016-3393). This bulletin includes vulnerabilities that are user targeted. An attacker can host specially crafted web content or specially crafted document file designed to exploit the vulnerabilities. One of the vulnerabilities (CVE-2016-3396) can also be exploited through the Outlook Preview Pane. Users running with reduced privileges could reduce the impact if exploited.
MS16-121 is an important update for Office. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-7193). An attacker could craft a file to send through email or by specially crafting web content designed to exploit the vulnerability. Users running with reduced privileges could reduce the impact if exploited.
MS16-122 is a critical update for Windows. The bulletin resolves one vulnerability. An attacker could exploit this vulnerability by convincing a user to open a specially crafted file from a webpage or an email message. The Outlook Preview Pane is an attack vector for this vulnerability. Users running with reduced privileges could reduce the impact if exploited.
MS16-126 is a moderate update for Windows. The bulletin resolves one vulnerability, which has been Exploited in the Wild (CVE-2016-3298). This is the same CVE ID as the Exploit in MS16-118 for Internet Explorer. To fully resolve the vulnerability, both MS16-118 and MS16-126 must be installed. For Windows Vista and Server 2008, this means installing two separate packages. For newer Oss, both will be included in the security only or security rollup package.
MS16-127 is a critical update for Flash Player for Internet Explorer. This update resolves 12 vulnerabilities in Adobe Flash Player Plug-In for Internet Explorer. To fully resolve Flash Player vulnerabilities you must install updates for Flash Player, Flash for IE, Flash for Chrome and Flash for Firefox, so this could be multiple installable updates on a single system.
APSB16-32 is a priority one update for Adobe Flash Player. This update resolves 12 vulnerabilities. Many of the vulnerabilities are user targeted and, if exploited, could allow an attacker to take control of the affected system.
For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.