Its August 2016 Patch Tuesday and Microsoft has released nine security bulletins that affect a host of components including desktop operating systems, browsers, fonts and servers. Five updates are rated as critical while four are rated as important.
On the Desktop front, top priority goes to patching Microsoft Office and Browsers. This includes Microsoft Office Patch MS 16-099 which can allow attackers to take complete control of the victim machines if the victims open a malicious office document. It is not too difficult to social engineer an e-mail attachment which is targeted for users in your organization to exploit this issue. Security bulletin MS16-095 and MS16-096 includes patches for Internet Explorer and Microsoft Edge respectively. Nine IE issues and eight Edge vulnerabilities are addressed in these two bulletins and more than half can cause RCE i.e. allow an attacker to take complete control of the victim system.
MS16-097 addresses a critical issue in the handling of fonts by the windows font library. The windows font library has been targeted in the past as attackers can send files with specially crafted fonts or simply host them online to get users victimized. The vulnerability is critical as it too causes RCE.
On the windows protocol side of things MS16-101 is the most important patch as it addresses two vulnerabilities in netlogon and the Kerberos protocol. The Kerberos issue is triggered when Kerberos improperly handles a password change request and falls back to NTLM Authentication as the default authentication protocol allowing an attacker to bypass Kerberos authentication. The Netlogin issue is triggered when Windows Netlogon improperly establishes a secure communications channel to a domain controller.
Users of Windows 10 using Microsoft Edge as the default browser should also focus on the Windows PDF library bug addresses in MS16-102 as it could allow attackers to control a victim machine by opening a malicious PDF.
Overall it’s a regular sized patch Tuesday which will keep Windows desktop administrators busy.