10 Security Bulletins were released – 6 Critical, 3 Important, and 1 Moderate

This Month In Brief

10 Security Bulletins were released – 6 Critical, 3 Important, 1 Moderate

We have not uncovered any widespread problems with any of these patches and are releasing all of them.

MS16-118,MS16-119,MS16-120,MS16-121,and MS16-127 are considered “zero-day” vulnerabilities. After your next patch cycle completes you should follow up and make sure these are installed.

No out-of-band security updates were released during the last month.

Apatchocalypse Now?

In August Microsoft announced they were moving to a roll-up model for Windows 7, 8.1, and Server 2008R2/2012/2012R2 similar to the Windows 10 model already in place.

We will post more information about this change and how it affects patch management using Kaseya over the coming weeks but here are some of the basics:

The “Apatchocalypse Now” heading is a bit alarmist but Microsoft does not have a great track record of thoroughly vetting their releases. Time will tell how well this works. The emphasis of this blog will likely change from advising what KBs to deny towards warning what to expect and provide guidance. Remember nothing is pushed out by Kaseya until it is approved in the patch policy. We still have the benefit of seeing what other “early adopters” experience before we release anything.

“Further simplifying servicing models for Windows 7 and Windows 8.1”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Affects

  • Windows 7/8.1 and Server 2008R2/2012/2012R2
  • .NET Framework 3.0, 3.5, 3.5.1, 4, 4.5.2, 4.6

Does Not Affect

  • Vista or Server 2008
  • Microsoft Office
  • Internet Explorer 9
  • Windows Servicing Stack
  • Adobe Flash

Going forward the affected software will have one “Security Monthly Quality Rollup” containing all security and non-security updates. Updates are broadly classified as “security” and “non-security” updates with Security Bulletins published for each security patch. This month there are 10 Security Bulletins. In a given month there are usually as many non-security updates released as Security Bulletins. Historically this blog has only discussed the Security Bulletins. The exception being non-security updates that we denied because they were problematic.

Manual Patching

Microsoft is offering an option to install a “Security Only Quality Update” and a “Security Only Updates for .Net Frameworks”. As the name implies these would include the security updates and exclude the non-security updates. So if Microsoft released a non-security update that was causing severe problems, we could deny the “Security Monthly Quality Rollup” in Kaseya and manually push out the “Security Only Quality Update”.

Do KBs matter anymore?

Yes and No. In the past each Security Bulletin had KB numbers. Non-Security updates also had individual KB numbers. In many case there was a specific KB for each OS or software version. For the unaffected software listed above this remains the same. We can still allow/deny individual KBs as we have in the past. For the affected software this will not be possible outside of the “Manual Patching” option mentioned above.

October 2016 security monthly quality rollup

  • KB3185330 – Windows 7, Windows Server 2008 R2
  • KB3185331 – Windows 8.1, Windows Server 2012 R2
  • KB3185332 – Windows Server 2012

October 2016 security only quality update

  • KB3192391 – Windows 7, Windows Server 2008 R2
  • KB3192392 – Windows 8.1, Windows Server 2012 R2
  • KB3192393 – Windows Server 2012

October, 2016 Security and Quality Rollup for .NET Framework

October, 2016 Security Only Update for .NET Framework
The KB numbers for .Net are different for each version and in some cases each OS installed.

Cumulative update for Windows 10

  • KB3192440 – Original release
  • KB3192441 – Version 1511
  • KB3194798 – Version 1607 (Anniversary Update)

Heads Up! Releasing KB3020369

This patch was denied last year as it caused some machines to hang at “Stage 3 of 3” after the patch reboot. If this happens, press Ctrl+Alt+Delete to continue to log on. KB3020369 applies to Windows 7 and Windows Server 2008 R2 systems. On our on-prem KServers we see only 3% of machines missing KB3020369 and again only some machines experience the reboot issue. This should not be a huge problem. The reason for the release is detailed below in “Windows Update Scan Slowness on Windows 7”

Windows Update Scan Slowness on Windows 7 – Install KB3172605

Last year some Windows 7 machines started experiencing very slow patch scans. The scan could take hours or never complete. If they finished the results were questionable. Microsoft has released a number of updates to the Windows Update Client over the past year but not until recently did they release a version that corrected the problem. The version was KB3172605. KB3172605 was original released in late July then re-released in September. KB3179573 was a rollup released in August to correct problems with the original KB3172605. Microsoft states KB3020369 is a prerequisite for KB3172605 and that is why we are releasing KB3020369 now – see above. Our on-prem KServers show about 11% of machines missing KB3172605.

The upshot of this is make sure you have KB3172605 installed!

We have agent procedures for this – “KB3172605 Install” and “KB3020369 Install“. They are in the Shared>_VA Scripts> Patch Deployment folder on our on-prem KServers and posted on ClubMSP

Exploitability

Requires Restart

  • Servers:True
  • Workstations:True

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS16-018 Cumulative Security Update for Internet Explorer (3192887) (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
Affected Software: Internet Explorer 9-11
Known Issues per MS:
MS16-019 Cumulative Security Update for Microsoft Edge (3192890) (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
Details
Affected Software: Edge
Known Issues per MS:
MS16-020 Security Update for Microsoft Graphics Component (3192884) (Microsoft .NET Framework, Office, Skype for business, Lync) The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Office 2007/2010, Word Viewer, Lync 2010/2013, Silverlight 5, .NET Framework 3.0 SP2/4.5.2/4.6, Skype for Business 2016
Known Issues per MS:
MS16-021 Security Update for Microsoft Office (3194063) (Microsoft Office) An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
Details
Affected Software: Office 2007/2010/2013/2016, Office 2011/2016 for MAC, Office Web Apps 2010/2013, SharePoint Server 2010/2013
Known Issues per MS:
MS16-022 Security Update for Microsoft Video Control (3195360) (Microsoft Windows) The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory.
Details
Affected Software: Vista, Windows 7/8.1/10
Known Issues per MS:
MS16-026 Security Update for Adobe Flash Player (3194343) (Microsoft Windows) An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.
Details
Affected Software: Windows 8.1/10, Server 2012/2012R2, Windows RT 8.1
Known Issues per MS:

IMPORTANT

MS16-027 Security Update for Windows Kernel-Mode Drivers (3192892) (Adobe Flash Player) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-023 Security Update for Windows Registry (3193227) (Microsoft Windows) The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-024 Security Update for Diagnostics Hub (3193229) (Microsoft Windows) The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.
Details
Affected Software: Windows 10
Known Issues per MS:

MODERATE

MS16-025 Security Update for Microsoft Internet Messaging API (3196067) (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Details
Affected Software: Vista, Windows 7, Server 2008/2008R2
Known Issues per MS: