Virtual Administrator’s September 2016 Patch Recommendations

14 Security Bulletins were released – 7 Critical, 7 Important, and 0 Moderate

This Month In Brief

14 Security Bulletins were released – 7 Critical, 7 Important

We have not uncovered any widespread problems with any of these patches and are releasing all of them.

MS16-004 thru MS16-108, MS16-116 and MS16-117 are rated Critical. After your next patch cycle completes you should follow up and make sure they are installed. The cumulative IE update MS16-004 as always it the top priority for workstations followed by MS16-107 which is an Office patch. Those with Exchange servers and/or SharePoint servers should make sure MS16-108/MS16-107 are installed.

No out-of-band security updates were released during the last month.

IMPORTANT PATCH NEWS: The end of patching as we know it starts next month.

Microsoft released this statement on August 15th

“Further simplifying servicing models for Windows 7 and Windows 8.1”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

This highlights of the announcement are below. Historically Microsoft has released individual patches (KBs) for each update. Broadly these are classified as “security” and “non-security” updates with Security Bulletins published for each security patch. This month there are 14 Security Bulletins. In a given month there are usually as many non-security updates released as Security Bulletins.

Starting in October 2016 Microsoft will release one “Monthly Rollup” including both security and non-security patches. They will also make a “Security-only updates” available which should include only updates with published Security Bulletins. Additionally there will be a separate “.NET Framework Monthly Rollup”. Microsoft also wrote “Several update types aren’t included in a rollup, such as those for Servicing Stack and Adobe Flash.” It’s unclear exactly what will happen with Office updates.

We won’t know for sure what this will actually look like until we see this next month. Obviously we will no longer have the ability to deny individual KBs in Kaseya. However, because we don’t approve anything until Friday afternoon, we have time to see what to expect. In the past most of the KBs we have denied were non-security and it sounds like we would be able to deny the “Monthly Rollup” but still approve “Security-only updates”. Going forward, when “bad” patches are released, we will work to help you identify the susceptible machines and apply workarounds preemptively. In this new “all or nothing” environment it is unlikely we would deny both the “Monthly Rollup” and the “Security-only updates”.

Per Microsoft
“Based on your feedback, today we’re announcing some new changes for servicing Windows 7 SP1 and Windows 8.1. These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.”

“Monthly Rollup – From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on.”

“Security-only updates – Also from October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available.”

“.NET Framework Monthly Rollup – The .NET Framework will also follow the Monthly Rollup model with a monthly release known as the .NET Framework Monthly Rollup.”

Exploitability

Requires Restart

  • Servers:True
  • Workstations:True

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS16-104 Cumulative Security Update for Internet Explorer (3183038) (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
Affected Software: Internet Explorer 9-11
Known Issues per MS: https://support.microsoft.com/en-us/kb/3185319
MS16-105 Cumulative Security Update for Microsoft Edge (3183043) (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
Details
Affected Software: Edge
Known Issues per MS:
MS16-106 Security Update for Microsoft Graphics Component (3185848) (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-107 Security Update for Microsoft Office (3185852) (Microsoft Office/Services/Web Apps) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.
Details
Affected Software: Office 2007/2010/2013/2016, Office 2011/2016 for MAC, SharePoint Server 2007/2010/2013, Office Web Apps 2010/2013
Known Issues per MS:
MS16-108 Security Update for Microsoft Exchange Server (3185883) (Microsoft Exchange) The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server.
Details
Affected Software: Exchange 2007/2010/2013/2016
Known Issues per MS:
MS16-116 Security Update in OLE Automation for VBScript Scripting Engine (3188724) (Microsoft Windows) The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-117 Security Update for Adobe Flash Player (3188128) (Adobe Flash Player) This security update resolves vulnerabilities in Adobe Flash Player.
Details
Affected Software: Windows 8.1/10, Server 2012/2012R2, Windows RT 8.1
Known Issues per MS:

IMPORTANT

MS16-109 Security Update for Silverlight (3182373) (Microsoft Windows) The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application.
Details
Affected Software: Silverlight 5
Known Issues per MS:
MS16-110 Security Update for Windows (3178467) (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if an attacker creates a specially crafted request and executes arbitrary code with elevated permissions on a target system.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-111 Security Update for Windows Kernel (3186973) (Microsoft Windows) The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-112 Security Update for Windows Lock Screen (3178469) (Microsoft Windows) The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen.
Details
Affected Software: Windows 8.1/10, Server 2012R2, Windows RT 8.1
Known Issues per MS:
MS16-113 Security Update for Windows Secure Kernel Mode (3185876) (Microsoft Windows) The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory.
Details
Affected Software: Windows 10
Known Issues per MS:
MS16-114 Security Update for SMBv1 Server (3185879) (Microsoft Windows) The vulnerability could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMBv1) Server.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-115 Security Update for Microsoft Windows PDF Library (3188733) (Microsoft Windows) The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document.
Details
Affected Software: Windows 8.1/10, Server 2012/2012R2, Windows RT 8.1
Known Issues per MS:

MODERATE