J003-Content-PatchTue_SQWhen Windows 10 came out, Microsoft announced that the company would be releasing security updates on a more continuous basis instead of the once-a-month cycle that we’ve all grown to know and love (or hate). This led to much chatter in the tech press and the term “no more Patch Tuesday” was born.

Well, at the end of July, Win 10 went public and guess what? Life as we know it in the update community didn’t come to an abrupt halt. Here it is, the second Tuesday of August and lo, what do we have? A Microsoft Security Bulletin summary. And lest you thought the new format might mean fewer patches, no such luck. We have a whopping 14 updates again this month; however, the good news is that only four of them are classified as critical.

Interestingly, all four affect the newly-released Windows 10 operating system. There have also been reports about Windows 10 systems getting stuck in a continuous loop reboot cycle after updating – which hasn’t done the new operating system’s reputation much good. The new Edge web browser also got its first cumulative update. In addition to the patches for Windows, there are also fixes for Office and its companion server services, SharePoint and Lync, as well as Silverlight.

Keep in mind that Windows Server 2003 is no longer included in these updates, as support for that OS ended last month, except for a few select “special” customers such as the U.S. Navy, which reportedly paid Microsoft millions of dollars to continue support for another one to three years.

So here we go with this month’s changes. For more information from the proverbial horse’s mouth, see the Security Bulletin Summary on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-aug

Critical

MS15-079 (KB3082442) This is the obligatory cumulative update for Internet Explorer. It affects IE 7, 8, 9, 10, and 11 on all supported versions of Windows, including IE 11 on Windows 10. It’s rated critical for browsers running on Windows client operating systems and moderate for those running on Windows servers.

The update addresses 13 vulnerabilities, with all but three being memory corruption issues. The most severe potential impact is arbitrary code execution.  The others include two ASLR bypass vulnerabilities and an unsafe command line parameter passing vulnerability. There is a published workaround for the last, which involves editing the registry to remove Notepad.exe from the IE elevation policy. You can find the instructions in the security bulletin details at https://technet.microsoft.com/library/security/MS15-079.

The update fixes the problems by changing the way IE handles objects in memory, ensuring that affected versions of IE implement the ASLR feature properly, and improving the command-line parameters for Notepad.exe from IE.

MS15-080 (KB3078662) This is an update to address vulnerabilities in the Microsoft Graphics component that could allow remote code execution. It affects supported versions of Windows client and server operating systems, including Windows 10. It’s rated critical for both client and server OS, and also affects Microsoft .NET framework, Microsoft Office, Lync and Silverlight Microsoft developer tools and software.

The update addresses an Office Graphics Component remote code execution vulnerability, eleven OpenType Font Parsing vulnerabilities, and ASLR bypass vulnerability, a Windows CSRSS elevation of privilege vulnerability, a KMD security bypass issue, and a Windows Shell security feature bypass issue. The most severe potential impact is execution of arbitrary code. There are published mitigations and workarounds, the instructions for which you can find in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-080.aspx

The update fixes the problems by changing how the Adobe Type Manager Library handles OpenType fonts, how the DirectWrite library handles TrueType fonts, how Office handles OGL fonts, how the kernel handles memory addresses, how user processes are terminated at logoff, how Windows validates impersonation levels, and how the Windows shell validates impersonation levels.

MS15-081 (KB3080790) This is an update to address vulnerabilities in Microsoft Office. It affects Office 2007, 2010, 2013, 2013 RT, Office for Mac 2011 and 2016, the Office Compatibility Pack SP3, Word Viewer, SharePoint 2010 and 2013, and Office Web Apps 2010 and 2013. It’s rated critical.

The update addresses multiple vulnerabilities in the above software that include memory corruption vulnerabilities, unsafe command line passing, and integer overflow. The most severe potential impact is execution of arbitrary code. There is a published workaround for one vulnerability, the instructions for which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-081.aspx .

The update fixes the problems by changing the way Office handles files in memory, improves the way Office programs are executed from IE, corrects the way Office validates templates and the way it handles integer bounds checking.

MS15-091 (KB3084525) This is a cumulative update for the new Edge web browser in Windows 10 that addresses four vulnerabilities. It affects Microsoft Edge running on Windows 10 32-bit or 64-bit systems. It is rated critical.

Three of these vulnerabilities are memory corruption issues and the remaining one is an ASLR bypass vulnerability. The memory corruption vulnerabilities occur when Edge improperly access objects in memory. An attacker could potentially execute arbitrary code by exploiting these vulnerabilities through the hosting of a malicious website.  The ASLR bypass could be used in conjunction with another vulnerability, to get past the ASLR security feature. There are no published workarounds or mitigations.

The update fixes the problems by changing the way Edge handles objects in memory and helping ensure that the ASLR feature is properly implemented.

Important

MS15-082 (KB3080348) This is an update to address a pair of vulnerabilities in the Remote Desktop Protocol (RDP). It affects all currently supported client and server versions of Windows except Windows 10, including Windows RT and server core installations. It is rated Important across all systems.

The update addresses a remote desktop session host spoofing vulnerability and an RDP DLL planting remote code execution vulnerability. Impacts include generation of untrusted certificates and impersonation of a client RDP session and remote code execution; however, user action is required to successfully carry out the exploit. There is a published workaround for the latter vulnerability, which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-082.aspx

The update fixes the problem by changing the way the Remote Desktop Session Host validates certificates and the way RDP loads certain binaries.

MS15-083 (KB3073921) This is an update to address a vulnerability in Windows Server Message Block. It affects supported versions of Windows Vista and Server 2008. It is rated Important for both.

The update addresses a memory corruption vulnerability whereby SMB in Windows doesn’t handle some logging activities properly. It can be exploited by an attacker who possesses a valid credential, to take control of the system.  The is a published workaround that involves disabling SMBv1 using PowerShell or a managed deployment script, instructions for which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-083.aspx

The update fixes the problem by changing the way the logging activities are handled.

MS15-084 (KB3080129) This is an update to address three vulnerabilities in the XML Core Services in Windows and Office applications. It affects XML Core Services 3.0, 5.0 and 6.0, running on all supported versions of Windows client and server operating system except Windows 10, but including Windows RT and the server core installations. Also affected are Office 2007 SP3 and InfoPath 2007 SP3. It is rated Important for all.

The three vulnerabilities addressed are all MSXML information disclosure vulnerabilities caused by explicit allowance of the use of SSL 2.0 and exposure of memory addresses that were not intended to be publicly disclosed. The most severe potential impact would be decryption of encrypted network traffic and bypass of ASLR that could allow reading of private data.  There are no published workarounds or mitigations.

The update fixes the problems by changing the way XML Core Services returns data that is requested by the API and by changing the MSXML default configuration to use more secure network protocols.

MS15-085 (KB3082487) This is an update to address a single vulnerability in Windows Mount Manager. It affects all supported versions of the Windows operating system, including Windows 10, Windows RT and the server core installations. It is rated Important across all systems.

The vulnerability occurs when Mount Manager processes symbolic links improperly in relation to the insertion of a malicious USB device such as a thumb drive containing malware. An attacker would need physical access to the system to insert the malicious USB drive in order to exploit the vulnerability. There are no published workarounds or mitigations.

The update fixes the problem by taking the vulnerable code out of the Mount Manager component.

MS15-086 (KB3075158) This is an update that addresses a single vulnerability in the System Center Operations Manager software. It affects SCOM 2012 and 2012 R2. It is rated Important for both.

This is an elevation of privilege vulnerability that is caused by improper validation of input. To exploit it, an attacker would need to inject a client-side script in the user’s browser, by convincing the user to visit a website containing the malicious code. The user would need to be authorized to access SCOM web consoles. There are no published workarounds or mitigations.

The update fixes the problem by changing the way SCOM accept input.

MS15-087 (KB3082459) This is an update that addresses a single vulnerability in the UDDI (Universal Description, Discovery and Integration) Services in Windows. It affects Windows Server 2008, with the exception of the Itanium editions. It is rated Important.

This is an elevation of privilege vulnerability that occurs when the UDDI Services fail to properly validate or sanitize a search parameter in the FRAME tag. An attacker could exploit it by using a cross-site scripting (XSS) attack. The user would have to visit a web site where the malicious script is executed. There is a published workaround for this vulnerability, which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-087.aspx

The update fixes the problem by changing the way the UDDI Services encode and validate the parameter.

MS15-088 (KB3082458) This is an update that addresses a single unsafe command line parameter passing vulnerability in Windows, IE and Office. It affects all supported versions of Windows client and server operating system, including Windows 10, RT and the server core installations. It also affects IE 7,8,9,10 and 11 including IE 11 on Windows 10, as well as all currently supported versions of Microsoft Office, including Office 2013 RT, Office for Mac 2011 and 2016, and the Office Compatibility Pack SP3 and Word Viewer.  It is rated Important for all.

This is an information disclosure vulnerability that occurs when files at a medium integrity level are accessible to IE running in Enhanced Protection Mode. The attacker would have to be able to execute code in IE using another vulnerability to exploit this. Then he could run Excel, Word, PowerPoint, Visio or even Notepad using an unsafe command line parameter. There is a published workaround that involves removing notepad.exe from IT elevation policy, the instructions for which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-088.aspx

The update fixes the problem by improving the way Notepad and Office applications are executed from within IE, working in conjunction with the IE and Office updates.

MS15-089 (KB3076949) This is an update that addresses a single vulnerability in the WebDAV component of Windows. It affects all supported versions of Windows with the exception of Windows 10 and the Itanium editions of Windows server, but including Windows RT. It is rated Important for all.

This is another information disclosure vulnerability that occurs when the WebDAV client component explicitly allows the user of SSL 2.0. It can be exploited by an attacker who forces an encrypted SSL 2.0 session with a WebDAV server that has SSL 2.0 enabled, to use a man-in-the-middle attack and decrypt encrypted traffic. There are no published workarounds or mitigations.

The update fixes the problem by making sure that the default protocol for WebDAV clients is more secure than SSL 2.0.

MS15-090 (KB3060716) This is an update that addresses three vulnerabilities in Windows components. It affects all supported versions of Windows client and server operating system with the exception of Windows 10, but including Windows RT and the server core installations. It is rated Important for all.

All three of these vulnerabilities are elevation of privilege issues. One is in Windows Object Manager, one is in the Registry, and one is in the Windows Filesystem component. Attackers who exploited any of the three could possibly escape from the application sandbox. There are no published workarounds or mitigations.

The update fixes the problems by changing the way the Object Manager handles object symbolic links, preventing improper interaction with the registry by sandboxed applications and preventing improper interaction with the filesystem by sandboxed applications.

MS15-092 (KB3086251) This is an update that addresses three vulnerabilities in the .NET Framework in Windows. It affects .NET Framework v4.6 on all supported versions of Windows client and server with the exception of Itanium editions, but including Windows 10, RT and the server core installations. It is rated Important across all systems.

All three of these vulnerabilities are elevation of privilege issues related to the RyuJIT compiler that improperly optimizes certain parameters, resulting in a code generation error. An attacker can exploit this by hosting a specially crafted .NET application and convincing users to run it.  There is a published workaround that involves editing the registry to disable the RyuJIT compiler, the instructions for which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-092.aspx . This will cause the older JIT compiler to be used instead.

The update fixes the problem by changing the way the RyuJIT compiler optimization works.