Today Microsoft released 14 security bulletins with six critical and eight important security fixes. It patched 0-day vulnerability CVE-2016-7255 in the MS16-135 which was actively attacked and disclosed by Google in their disclosure blog a few days ago. Since it is publicly disclosed and actively exploited it should be the top priority for organizations. An OpenType font vulnerability CVE-2016-7256 was also included by Microsoft in MS16-132 as being actively exploited. This vulnerability allows attackers to take complete control if the victim views a specially crafted webpage and therefore should be considered equally critical. Last but not least, three more vulnerabilities that were disclosed before availability of patches were fixed. These three issues are in IE and Edge browser and were fixed in MS16-142 and MS16-129 respectively (CVE-2016-7227 for IE, CVE-2016-7199 and CVE-2016-7209 for Edge). There is no indication yet that these three previously disclosed issues are being actively exploited.
Microsoft office bulletin MS16-133 contains fixes for 10 vulnerabilities that could allow attackers to take complete control of the system. In addition to these 10 fixes there is an information disclosure as well as a denial-of-service i.e crash which was fixed. Since office documents are prevalent in typical corporate environment I think this bulletin should be treated as critical even if it is rated as ‘Important’.
- MS16-130 fixes issues in windows Task Scheduler, a DLL loading issue in Input Method Editor (IME) and image file rendering. The image file rendering is the most critical issue which can allow attackers to take complete control of the machine.
- MS16-131 fixes an issue in the Video control which again allows attackers to gain control if a user is convinced to open either a specially crafted file or application from either a webpage or an email message.
- MS16-132 fixes an open type font vulnerability which can be exploited if a user visits a malicious webpage or opens a malformed document.
Microsoft SQL Server administrators should focus on MS16-136 which patches six vulnerabilities in the RDBMS engine, MDS API, SQL Analysis Services and the SQL Server Agent. SQL Server vulnerabilities are relatively rare and although there is no remote code execution, attackers can gain elevated privileges which could allow them to view, change, or delete data and create new accounts.
Overall, the actively attacked kernel and open type font vulnerability, three other previously disclosed browser issues and the SQL Server patch makes this month stand out.