Qualys Blog

www.qualys.com
Amol Sarwate

Patch Tuesday July 2016: Microsoft and Adobe

Its July 2016 patch Tuesday and Microsoft has released 11 security updates that affect a host of desktop and server systems. Six updates are categorized as Critical while the rest are categorized as Important.

Most of the critical updates released today affect desktop systems. Top priority should be given to fixing browsers and Office which includes MS16-084 that affects Internet Explorer, MS16-085 which affects Microsoft Edge and MS16-088 for Office. All three updates fix vulnerabilities that allow an attacker to take complete control of the victim’s machine and therefore these should be patched immediately.

Equally important are updates release today by Adobe. For some time now Flash has taken center stage. But this time Adobe Reader is back after being dormant for three months.  Adobe has released APSB16-26 which fixes 30 vulnerabilities on Windows and Mac platforms.  Many vulnerabilities fixed by APSB16-26 allows an attacker to take complete control of the victim machine and we recommend applying patch for this critical issue as soon as possible. This is the third Acrobat Reader fix in 2016 while the count of Adobe Flash is more than double. Adobe has also release update for its Flash Player – APSB16-25 which fixes 52 vulnerabilities. This update affects Windows, Mac, Linux and ChromeOS. As many vulnerabilities fixed by the update allow attackers to take complete control of the victim machine we recommend applying the Flash and Reader update immediately.

Next on the priority list is update from Microsoft for Jscript and VBScript MS16-086. The vulnerability fixed here can be exploited if the victim visits a malicious webpage hosting specially crafted Jscript and VBScript.  MS16-087 is another critical update for the windows print spooler. If an attacker is able to upload malicious code on a printer, all workstations trying to connect to that printer can be compromised. The issue can also be exploited remotely in a drive by type of attack using web point-and-print or IPP. More information about the same is available here.

Among the important updates .NET update MS16-091 gets first priority as this issue can be exploited remotely. But unlike the code execution aspect of other critical updates, this .NET vulnerability only allows information leakage. There are three other important Windows Kernel updates MS16-089, MS16-090, MS16-092. For an exploit to be successful, attacker needs to have valid credentials to the system.

Overall this is medium sized Patch Tuesday, but since many critical updates are targeted for desktops it may put some strain on your desktop patching teams.

Leave a Reply