Virtual Administrator’s June 2016 Patch Recommendations
17 Security Bulletins were released – 6 Critical, 11 Important, and 0 Moderate
July 29 – Approving KB3159398 and KB3161561 on Friday (6/29) at 5:00 PM EDT
KB3159398 – MS16-072: Security Update for Group Policy
What you might see – “Admins are saying it breaks some Group Policy settings: drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.”
What you can do – If you have read the blog we posted last month you should know which systems are at risk and have taken the appropriate steps to resolve.
“Auditing GPO policies in Kaseya for “Authenticated Users” for patch KB3159398”
http://virtualadministrator.com/blog/auditing-gpo-policies-in-kaseya-for-authenticated-users-for-patch-kb3159398/
“MS16-072: Security update for Group Policy: June 14, 2016”
https://support.microsoft.com/en-us/kb/3163622
KB3161561 – MS16-075: Security Update for Windows SMB Server and MS16-076: Security Update for Netlogon
What you might see – “You receive an ‘Access Denied’ error message when trying to access a domain DFS namespace on a computer that is configured to require mutual authentication”
What you can do – Run agent procedure “Procedure SmbServerNameHardeningLevel Workaround” The script is located on ClubMSP and is called “SmbServerNameHardeningLevel Workaround (KB3161561)”. If you are on our hosted Kaseya servers, you will find it under “Patch Deployment” folder.
“MS16-075 and MS16-076: Description of the security update for Windows Netlogon and SMB Server: June 14, 2016”
https://support.microsoft.com/en-us/kb/3161561
July 1 – UPDATE: Delayed release of KB3159398 and KB3161561
KB3159398 – MS16-072: Security Update for Group Policy
Current Status: KB3159398 remains denied in all patch policies
We have an agent procedure that will flag servers susceptible to the Group Policy problems this patch can introduce. Please read the blog below for instructions. We will release this patch in about month after giving everyone time to locate the vulnerable systems and apply the workaround.
Auditing GPO policies in Kaseya for “Authenticated Users” for patch KB3159398
http://virtualadministrator.com/blog/auditing-gpo-policies-in-kaseya-for-authenticated-users-for-patch-kb3159398/
KB3161561 – MS16-075: Security Update for Windows SMB Server and MS16-076: Security Update for Netlogon
Current Status: KB3161561 remains denied in all patch policies
Microsoft has not yet updated this patch to address the known issues. We will continue to monitor. In the meantime we will work on an agent procedure that can apply the workaround. As with the above patch we hope to approve this in patch policy once everyone has been able to take steps to avoid problems.
June 24 – UPDATE: Delayed release of KB3159398 and KB3161561
KB3159398 – MS16-072: Security Update for Group Policy
Current Status: KB3159398 remains denied in all patch policies
Microsoft posted this earlier this week.
Deploying Group Policy Security Update MS16-072 \ KB3163622
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
We have posted and audit script “GPO patch audit (KB3159398)” on ClubMSP. It is also available in the VA Shared folder on K2 and VA4.
The agents procedure will help identify those servers that will have problems it is install.
As outlined here:
MS16-072 – Known Issue – Use PowerShell to Check GPOs
https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
The results are written to the Kaseya Agent Procedure log
We do not foresee approving this patch. If you want to install KB3159398 you will need to push it out manually.
Microsoft does not consider this a faulty patch.
“After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This by-design behavior change protects domain joined computers from a security vulnerability.”
KB3161561 – MS16-075: Security Update for Windows SMB Server and MS16-076: Security Update for Netlogon
Current Status: KB3161561 remains denied in all patch policies
Microsoft finally acknowledged a problem with this patch on June 22
MS16-075 and MS16-076: Description of the security update for Windows Netlogon and SMB Server: June 14, 2016
https://support.microsoft.com/en-us/kb/3161561
“Status Microsoft is researching this problem and will post more information in this article when the information becomes available.”
We will keep an eye out for an updated patch and update this blog if one becomes available.
This Month In Brief
16 plus 1 OOB Security Bulletins were released – 6 Critical, 11 Important
MS16-083: Security Update for Adobe Flash Player was release June 16th out-of-band and is included in this article
Delayed release of KB3159398 – see below
Delayed release of KB3161561 – see below
MS16-063, MS16-068, MS16-069, MS16-070, MS16-071 and MS16-083 are rated Critical. The Adobe Flash Player patch (MS16-083) should be your top priority. It is being actively exploited. After that MS16-063, MS16-068 and MS16-071 are next in line. MS16-063/MS16-068 address IE/Edge vulnerabilities. MS16-071 fixes a single critical vulnerability in Microsoft’s DNS server.
No out-of-band security updates were released during the last month.
MS16-064 Security Update for Adobe Flash Player was technically released May 13th OOB but was included in the May 2016 Patch Recommendations article
Delayed release of KB3159398 and KB3161561
KB3159398 – MS16-072: Security Update for Group Policy
This patch is rated Important. We are delaying its release for at least one week. During the coming week we will work on ways to identify systems that might have problems KB3159398 with and create agent procedures to mitigate them. We will update this article next Friday (June 24) with our recommendations.
MS16-072 “breaks some Group Policy settings: drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.”
(http://www.infoworld.com/article/3084930/microsoft-windows/microsoft-acknowledges-permission-problems-with-ms16-072-patches-kb-3159398-3163017-3163018-3163016.html)
Per Microsoft’s known issues
https://support.microsoft.com/en-us/kb/3163622
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.
Symptoms: All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
KB3161561 – MS16-075: Security Update for Windows SMB Server and MS16-076: Security Update for Netlogon
This patch is rated Important. While the “headlines” this week have been dominated by KB3159398 we have seen a handful of reports that KB3161561 is causing problems – “access denied errors during group policy processing” and “2008 R2 DC started blue screening” Microsoft has not yet confirmed any issues. However because the number of reports appears to be growing we will delay the release of KB3161561 for one week. We will update this article next Friday (June 24) with our recommendations.
Heads Up! Once again Windows 7 sp1 has seen problems with patch scanning taking a very long time. If KB3161664 is deployed first it should speed this up. KB3161664 is MS16-073 and will be deployed along with all of the other June patches. This is probably not a concern unless you see Windows 7 SP1 machines that are still unpatched after the first patching cycle.
An agent procedure to install KB3161664 will be posted on ClubMSP and available in the VA Shared folder on our onprem KServers.
Exploitability
- Publically disclosed: MS16-083
- Being exploited: MS16-083
- Rated CRITICAL: MS16-063, MS16-068, MS16-069, MS16-070, MS16-071, MS16-083
- (The Severity Rating System: http://technet.microsoft.com/en-us/security/bulletin/rating)
Requires Restart
- Servers:True
- Workstations:True
New Security Bulletins
(MS#/Affected Software/Type)
CRITICAL
MS16-063 Cumulative Security Update for Internet Explorer (3163649) | (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. |
|
MS16-068 Cumulative Security Update for Microsoft Edge (3163656) | (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. |
|
MS16-069 Cumulative Security Update for JScript and VBScript (3163640) | (Microsoft Windows) The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. |
|
MS16-070 Security Update for Microsoft Office (3163610) | (Microsoft Office) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. |
|
MS16-071 Security Update for Microsoft Windows DNS Server (3164065) | (Microsoft Windows) The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. |
|
MS16-083 Security Update for Adobe Flash Player (3167685) | (Adobe Flash Player) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. |
IMPORTANT
MS16-072 Security Update for Group Policy (3163622) | (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. |
|
MS16-073 Security Update for Windows Kernel-Mode Drivers (3164028) | (Microsoft Windows) The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. |
|
MS16-074 Security Update for Microsoft Graphics Component (3164036) | (Microsoft Windows) The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted application. |
|
MS16-075 Security Update for Windows SMB Server (3164038) | (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. |
|
MS16-076 Security Update for Netlogon (3167691) | (Microsoft Windows) The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller. |
|
MS16-077 Security Update for WPAD (3165191) | (Microsoft Windows) The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system. |
|
MS16-078 Security Update for Windows Diagnostic Hub (3165479) | (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. |
|
MS16-079 Security Update for Microsoft Exchange Server (3160339) | (Microsoft Exchange Server) The vulnerability could allow denial of service if an attacker sends a large number of specially crafted IPv6 packets to an affected system. |
|
MS16-080 Security Update for Microsoft Windows PDF (3164302) | (Microsoft Windows) he more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. |
|
MS16-081 Security Update for Microsoft Windows PDF (3164302) | (Microsoft Windows) The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. |
|
MS16-082 Security Update for Microsoft Windows Search Component (3165270) | (Microsoft Windows) The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application. |