J003-Content-Microsoft-Patch-Tuesday-Aug2016_SQIt’s been a long, hot summer, and on the security update front, after a couple of months of heavy patch Tuesdays (sixteen each for June and July), we get a little bit of relief this time: Microsoft released only nine patches for August Patch Tuesday. If you’re lucky and all goes well with the installation, perhaps that will mean a little more time for IT pros to relax by the pool this week.

We hit a milestone of sorts this month, with the 100th security update for this year. This time we got the usual cumulative updates for the Internet Explorer and Edge browsers, two updates for Office, and the rest are for Windows. Five of the nine are rated as critical, and all five are remote code execution vulnerability issues, so they should receive the needed care and attention in order to prevent any attacks on your infrastructure.

Let’s take a look at these updates in a little more detail, and you can find the full summary with links to each security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-aug

Critical Updates

MS16-095 (KB 3177356) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn’t apply to server core installations that don’t run a web browser.

The update addresses nine separate vulnerabilities, which include memory corruption and information disclosure issues. The most serious of these can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities. The update fixes the problems by changing the way Internet Explorer and certain functions handle objects in memory.

MS16-096 (KB 3177358) This is the usual monthly cumulative update for the Edge web browser that applies to Windows 10. It is rated critical.

The update addresses eight separate vulnerabilities, which include memory corruption and information disclosure issues, and the most serious of these can be exploited to accomplish remote code execution. There is a workaround for one of the vulnerabilities, which requires you to edit the registry, and the instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-096.aspx

The update fixes the problems by changing the way both Edge itself and the Chakra JavaScript scripting engine handle objects in memory.

MS16-097 (KB 3177393) This is an update for the Microsoft Graphics component in Windows, Office, Skype for Business, and Lync. It applies to all supported versions of Windows, both client and server, including the server core installation and Windows Server 2016 Technical Preview 5. It also affects Office 2007 and 2010, and S4B 2016, and Lync 2010 and 2013. It is rated critical for all.

The update addresses three remote code execution vulnerabilities that occur when the Windows font library improperly handles specially crafted embedded fonts. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way the Windows font library handles embedded fonts. Note that there are prerequisites affecting some of the impacted software; see the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-097.aspx

MS16-099 (KB 3177451) This is an update for Microsoft Office that affects Office 2007, 2010, 2013 and 2013 RT, and 2016, as well as Office for Mac 2011 and 2016 and the Word Viewer. It is rated critical on Office for Windows and Important on Office for Mac and Word Viewer.

The update addresses five vulnerabilities, one of which is a OneNote information disclosure issue and the rest are memory corruption vulnerabilities, some of which can be exploited to accomplish remote code execution. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by affected versions of Office and Office components handle objects in memory.

MS16-102 (KB 3182248) This is an update for the Windows PDF library that applies to Windows 8.1 and 10 client operating systems, Windows RT 8.1, and Windows Server 2012 and 2012 R2. It is rated critical for all.

The update addresses a single vulnerability that occurs when the PDF library improperly handles objects in memory. This could be exploited to accomplish remote code execution. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users to view attacker-controlled PDF content.

There is a workaround for Windows 10 that involves editing the registry. Instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-102.aspx

The update fixes the problem by changing the way the affected systems handle objects in memory.

Important Updates

MS16-098 (KB 3178466) This is an update for the Windows kernel-mode drivers that applies to all supported versions of Windows, both client and server, and including the server core installation and Windows Server 2016 Technical Preview 5. It is rated Important for all.

The update addresses four Win32k elevation of privilege vulnerabilities that occur when the Windows kernel-mode driver fails to properly handle objects in memory. The attacker would have to be able to log onto the system. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way the Windows kernel-mode driver handles objects in memory.

MS16-100 (KB 3179577) This is an update for the Secure Boot feature in Windows 8.1 and 10 client operating systems, Windows RT 8.1, and Server 2012 and 2012 R2. It is rated important for all.

The update addresses a single vulnerability that allows a bypass of the security feature when Secure Boot improperly loads a boot manager that is affected by the vulnerability. Exploit requires the attack to have admin privileges and/or physical access to the device. There is a workaround that involves configuring BitLocker to use a Trusted Platform Module (TPM) + PIN; the instructions are published in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-100.aspx

The update fixes the problem by blacklisting affected boot managers.

MS16-101 (KB 3178465) This is an update for Windows authentication methods that affects all supported versions of Microsoft Windows, both client and server, and including the server core installation and Windows Server 2016 Technical Preview 5. It is rated important for all.

The update addresses a pair of elevation of privilege vulnerabilities, one of which pertains to the Netlogon service and the other to Kerberos. There are no published mitigations or workarounds for these vulnerabilities.

The update fixes the problems by changing the way Windows authentication methods handle the establishment of secure channels.

MS16-103 (KB 3182332) This is an update for the ActiveSyncProvider component of Windows. It affects only Windows 10 and the Windows Server 2016 Technical Preview 5. It is rated important.

The update addresses a single information disclosure vulnerability that occurs when Universal Outlook fails to establish a secure connection. It could be exploited to obtain a user’s logon credentials. There are no published mitigations or workarounds for this vulnerability. Universal Outlook is the universal app version of Microsoft Outlook for PCs, tablets and phones.

The update fixes the problem by preventing Universal Outlook from disclosing usernames and passwords.