Today Microsoft started rolling out a new way to patch systems, and I explain the different components which are included and their timeline:
- Patch Tuesday (second Tuesday of every month or B week): Two main components will be released on Patch Tuesday:
- A security-only update: This is a single update containing all new security fixes for that month. It will be released on Windows Server Update Services (WSUS) where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog. This package will NOT be available for consumer PCs which get updated via Windows Update.
- A security monthly rollup: A single update containing all new security fixes for that month (same as the security-only update) as well as fixes from all previous monthly rollups. This will be available for consumer PCs which get updated via Windows Update.
- Third Tuesday of every month (C Week): This is a monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup. This is included for users to test their systems before next month. This will be available on WSUS, Windows update and Windows Update Catalog.
Internet Explorer updates are included in the security-only and monthly security rollup. .NET will follow a similar formula as monthly rollup and security-only updates. Since today is Patch Tuesday i.e. B week or second Tuesday week, here is a list of security fixes that administrators should focus on:
A total of ten security updates were released affecting Browsers, Office, GDI, Kernel Drivers, Registry, Messaging and also update for Adobe Flash. Five updates are critical, four are important while one is moderate. What’s interesting is that five updated have at least one vulnerability each which a fixes a 0-day. These are the vulnerabilities that are already actively exploited in the wild.
The GDI+ bulletin MS16-120 has one such 0-day and allows attackers to take complete control of the victim machine if the victim views a malicious webpage. Since this vulnerability is in the core graphics component I have ranked it higher.
The two browser bulletins MS16-118 for Internet Explorer and MS16-119 for Edge also have a fix for a 0-day vulnerability where attackers can cause a remote code execution (RCE). For the attack to succeed, victim has to use one of these browsers to view a malicious web page hosted by the attacker.
The Office bulletin MS16-121 fixes the fourth 0-day for October. It’s a file format issue and can be exploited if the attacker manages to send a malicious RTF file to the victim either as an e-mail attachment or somehow entices the victim to view it online. If successful, attackers can take complete control of victim’s machine.
MS16-126 is the last 0-day fix for today. It affects the Internet Messaging API component and is marked only as Moderate. It allows attackers to remotely test for the presence of files on the victim machine. Since it is exploited in the wild I rank it higher as it can allow information that could aid in further attacks.
MS16-122 is a remote code execution vulnerability in the Microsoft Video Control, but is ranked a little lower as it’s not a 0-day. If exploited it allows attackers full control of the victim machine.
The Kernel-mode driver (MS16-123), windows registry (MS16-124) and Diagnostics Hub (MS16-125) are all privilege elevation vulnerabilities and are ranked lower as attackers needs valid credentials to exploit these issues. If exploited attackers can elevate their account to a higher privileged account.
Overall it’s a mid-sized B week security update but is critical due to the presence of the large amount of 0-day patches.