It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy. Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.
On the desktop side top priority goes to Browsers and Microsoft Office. This includes Cumulative Security Update for Internet Explorer (MS16-104) which affects IE 9 to 11 and Cumulative Security Update for Microsoft Edge (MS16-105) which only affects Windows 10 platforms. An attacker can entice users to click malicious links using affected browsers and if left unpatched can allow attackers to take complete control of the victim machine. The security update for Microsoft Office (MS16-107) also falls in this category and will allow attackers complete control of victim machine using the click-to-run component and due to the way Office objects are handled in memory. MS16-106 affects Windows vista, Windows 7, 8.1 and 10 and could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.
Next priority goes to Silverlight bulletin (MS16-109). The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. MS16-116 affects the VBScript Scripting Engine and allows remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website.
Exchange Server administrators should focus on MS16-108 which could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server. If left unpatched attackers can take complete control of the server.
Microsoft Office (MS16-107) affects the Microsoft SharePoint Server 2007, 2010 and 2013 and can allow attacks to take complete control of the server using the Word and Excel automation service on the SharePoint Server.
MS16-106 affects Windows server 2008 and 2012 along with their R2 counterparts and allows attackers to take complete control of the server system. Server administrators should also look at MS16-110 which applies to Server 2008 and 2012 and allows attackers with domain user account to could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.
Overall it’s a large update from Microsoft with fixes for both desktop and server components.