Virtual Administrator’s September 2016 Patch Recommendations
14 Security Bulletins were released – 7 Critical, 7 Important, and 0 Moderate
This Month In Brief
14 Security Bulletins were released – 7 Critical, 7 Important
We have not uncovered any widespread problems with any of these patches and are releasing all of them.
MS16-004 thru MS16-108, MS16-116 and MS16-117 are rated Critical. After your next patch cycle completes you should follow up and make sure they are installed. The cumulative IE update MS16-004 as always it the top priority for workstations followed by MS16-107 which is an Office patch. Those with Exchange servers and/or SharePoint servers should make sure MS16-108/MS16-107 are installed.
No out-of-band security updates were released during the last month.
IMPORTANT PATCH NEWS: The end of patching as we know it starts next month.
Microsoft released this statement on August 15th
“Further simplifying servicing models for Windows 7 and Windows 8.1”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/
This highlights of the announcement are below. Historically Microsoft has released individual patches (KBs) for each update. Broadly these are classified as “security” and “non-security” updates with Security Bulletins published for each security patch. This month there are 14 Security Bulletins. In a given month there are usually as many non-security updates released as Security Bulletins.
Starting in October 2016 Microsoft will release one “Monthly Rollup” including both security and non-security patches. They will also make a “Security-only updates” available which should include only updates with published Security Bulletins. Additionally there will be a separate “.NET Framework Monthly Rollup”. Microsoft also wrote “Several update types aren’t included in a rollup, such as those for Servicing Stack and Adobe Flash.” It’s unclear exactly what will happen with Office updates.
We won’t know for sure what this will actually look like until we see this next month. Obviously we will no longer have the ability to deny individual KBs in Kaseya. However, because we don’t approve anything until Friday afternoon, we have time to see what to expect. In the past most of the KBs we have denied were non-security and it sounds like we would be able to deny the “Monthly Rollup” but still approve “Security-only updates”. Going forward, when “bad” patches are released, we will work to help you identify the susceptible machines and apply workarounds preemptively. In this new “all or nothing” environment it is unlikely we would deny both the “Monthly Rollup” and the “Security-only updates”.
Per Microsoft
“Based on your feedback, today we’re announcing some new changes for servicing Windows 7 SP1 and Windows 8.1. These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.”
“Monthly Rollup – From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on.”
“Security-only updates – Also from October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available.”
“.NET Framework Monthly Rollup – The .NET Framework will also follow the Monthly Rollup model with a monthly release known as the .NET Framework Monthly Rollup.”
Exploitability
- Publically disclosed: MS16-104
- Being exploited: None
- Rated CRITICAL: MS16-104, MS16-105, MS16-106, MS16-107, MS16-108, MS16-116, MS16-117
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
Requires Restart
- Servers:True
- Workstations:True
New Security Bulletins
(MS#/Affected Software/Type)
CRITICAL
 |
MS16-104 Cumulative Security Update for Internet Explorer (3183038) | (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. |
|
MS16-105 Cumulative Security Update for Microsoft Edge (3183043) | (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. |
|
MS16-106 Security Update for Microsoft Graphics Component (3185848) | (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. |
|
MS16-107 Security Update for Microsoft Office (3185852) | (Microsoft Office/Services/Web Apps) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. |
|
MS16-108 Security Update for Microsoft Exchange Server (3185883) | (Microsoft Exchange) The most severe of the vulnerabilities could allow remote code execution in some Oracle Outside In libraries that are built into Exchange Server if an attacker sends an email with a specially crafted attachment to a vulnerable Exchange server. |
|
MS16-116 Security Update in OLE Automation for VBScript Scripting Engine (3188724) | (Microsoft Windows) The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. |
|
MS16-117 Security Update for Adobe Flash Player (3188128) | (Adobe Flash Player) This security update resolves vulnerabilities in Adobe Flash Player. |
IMPORTANT
 |
MS16-109 Security Update for Silverlight (3182373) | (Microsoft Windows) The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. |
|
MS16-110 Security Update for Windows (3178467) | (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if an attacker creates a specially crafted request and executes arbitrary code with elevated permissions on a target system. |
|
MS16-111 Security Update for Windows Kernel (3186973) | (Microsoft Windows) The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system. |
|
MS16-112 Security Update for Windows Lock Screen (3178469) | (Microsoft Windows) The vulnerability could allow elevation of privilege if Windows improperly allows web content to load from the Windows lock screen. |
|
MS16-113 Security Update for Windows Secure Kernel Mode (3185876) | (Microsoft Windows) The vulnerability could allow information disclosure when Windows Secure Kernel Mode improperly handles objects in memory. |
|
MS16-114 Security Update for SMBv1 Server (3185879) | (Microsoft Windows) The vulnerability could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMBv1) Server. |
|
MS16-115 Security Update for Microsoft Windows PDF Library (3188733) | (Microsoft Windows) The vulnerabilities could allow information disclosure if a user views specially crafted PDF content online or opens a specially crafted PDF document. |
