Patch Tuesday Takes On a New Look This Week

October 12, 2016

This month’s Patch Tuesday takes on a new look and a lot of changes for IT departments going forward. Beginning today, October 11, Microsoft has fully implemented its "Windows as a service" cumulative update program. This program structure has currently been in place for Windows 10, but now programs such as Windows 7, 8 and select Window Servers will now be part of the update program. As background, Microsoft will release two updates on Patch Tuesday going forward. One will be exclusive to security fixes, and the other will be all other fixes not associated with security. These will be delivered via a “monthly roll up” which is a combination of the already release security fixes combined with non-security updates. Microsoft explained the new patch approach last week.  By 2017, this new cumulative model approach for supported Windows OS systems will prohibit IT from going back to an individual patch if it “breaks something”. Instead, IT will have to go back to the entire cumulative update for the month. Now, on to the security updates. This month’s Patch Tuesday brings 10 new updates, half of which address Critical Remote Code Execution vulnerabilities. Three of the vulnerabilities address elevation of privileges vulnerabilities in Kernel-Mode drivers, Windows Registry (the API can be forced to leak info to unprivileged users), and Diagnostics Hub. Almost all the patches require restarts to take effect (Office may not). Although there are the standard browser and flash updates, one remote code execution (RCE) that stands out this month is inside Video Control CVE-2016-0142 (MS16-122), including the preview pane as an attack vector used to gain control of the machine running the video.  The Microsoft Video control is a standard building block that Windows provides for developers to save them time. Why reinvent a video player and thumbnail display when you have one built into the Operating System? Since it’s easy to use, and will always be part of the Windows installation, developers tend to use it frequently.  Although the vulnerability has not been publicly disclosed, video files remain an attractive target for attackers. One other REC to mention is MS16-126. Here there is an information disclosure in the Microsoft Internet Messaging API, allowing attackers to test for the presence of a file. This could be very useful for stealthy reconnaissance. Overall, we would view this as a fairly standard Patch Tuesday, outside of the format change. As always, we recommend users review and apply these patches in a timely manner, to limit the risk to your organization or please feel free to include any other recommendations in the comments.  

  • News & Events

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!