Patch Tuesday Analysis - August 2016
•Download as PPTX, PDF•
0 likes•492 views
Ivanti August 2016 Patch Tuesday Analysis Webinar – Formerly Shavlik
Recommended
More Related Content
What's hot
What's hot (16)
Viewers also liked
Similar to Patch Tuesday Analysis - August 2016
Similar to Patch Tuesday Analysis - August 2016 (13)
More from Ivanti
More from Ivanti (20)
Recently uploaded
Recently uploaded (20)
Patch Tuesday Analysis - August 2016
- 1. Patch Tuesday Webinar Wednesday, August 10th, 2016 Chris Goettl • Product Manager, Shavlik Dial In: 1-855-749-4750 (US) Attendees: 923 686 352
- 2. Agenda August 2016 Patch Tuesday Overview Known Issues Bulletins Q & A 1 2 3 4
- 3. Best Practices Privilege Management Mitigates Impact of many exploits High Threat Level vulnerabilities warrant fast rollout. 2 weeks or less is ideal to reduce exposure. User Targeted – Whitelisting and Containerization mitigate
- 5. OF RECIPIENTS NOW OPEN PHISHING MESSAGES AND 11% CLICK ON ATTACHMENTS. 23%“ Verizon 2015 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2015/”
- 6. The weakest link Definition: User Targeted A vulnerability that cannot be exploited except by means of convincing a user to take an action. These often take the form of phishing attacks, targeted web content or documents designed to exploit the vulnerability. 0 2 4 6 8 10 12 14 16 18 January February March April May June Bulletin Count User Targeted
- 7. Mitigate Impact A vulnerability that when exploited allows the attacker to operate in the context of the current user. Reducing user privileges reduces the attackers ability to operate thereby slowing their ability to move around your environment. 0 2 4 6 8 10 12 14 16 18 January February March April May June Bulletin Count Privilege Management Reduces Impact Privilege Management Reduces Impact:
- 11. Known Issues – • Windows 10 Anniversary release build 1607 • But, maybe you should wait…. • http://www.infoworld.com/article/3104389/microsoft- windows/the-case-against-windows-10-anniversary-update- grows.html • MS16-100 has a non-security dependency • MS16-102 Additional Mitigating Step for Windows 10 to remove file extension for PDF for Edge browser • Shavlik Protect 9.0 (2016/10/19) and 9.1 (2016/12/31) EOLs • Patch Tuesday page www.Shavlik.com/patch-tuesday • Heading to VMworld? Book a Protect 9.3 sneak peek demo!
- 12. CSWU-028: Cumulative update for Windows 10: August 9, 2016 Maximum Severity: Critical Affected Products: Windows 10, Edge, Internet Explorer Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are described in the following Microsoft security bulletins and advisory: MS16-095, MS16-096, MS16-097, MS16-098, MS16-100, MS16-101, MS16-102, MS16-103. Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure, Security Feature Bypass Fixes 31 vulnerabilities: CVE-2016-3288, CVE-2016-3289, CVE-2016-3290, CVE-2016-3293, CVE-2016-3321, CVE-2016-3322, CVE-2016-3326, CVE-2016- 3327, CVE-2016-3329, CVE-2016-3289, CVE-2016-3293, CVE-2016-3296, CVE-2016-3319, CVE-2016-3322, CVE-2016-3326, CVE-2016-3327, CVE-2016-3329, CVE-2016-3319, CVE-2016-3322, CVE-2016-3301, CVE-2016-3303, CVE-2016-3304, CVE-2016- 3308, CVE-2016-3309, CVE-2016-3310, CVE-2016-3311, CVE-2016-3320, CVE-2016-3237, CVE-2016-3300, CVE-2016-3319, CVE-2016-3312 Restart Required: Requires Restart
- 13. MS16-095: Cumulative Security Update for Internet Explorer (3177356) Maximum Severity: Critical Affected Products: Internet Explorer Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Impact: Remote Code Execution Fixes 9 vulnerabilities: CVE-2016-3288, CVE-2016-3289, CVE-2016-3290, CVE-2016-3293, CVE-2016-3321, CVE-2016-3322, CVE-2016-3326, CVE-2016- 3327, CVE-2016-3329 Restart Required: Requires Restart
- 14. MS16-096: Cumulative Security Update for Microsoft Edge (3177358) Maximum Severity: Critical Affected Products: Edge Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. Impact: Remote Code Execution Fixes 10 vulnerabilities: CVE-2016-3289, CVE-2016-3293, CVE-2016-3296, CVE-2016-3319, CVE-2016-3322, CVE-2016-3326, CVE-2016-3327, CVE-2016- 3329, CVE-2016-3319, CVE-2016-3322 Restart Required: Requires Restart
- 15. MS16-097: Security Update for Microsoft Graphics Component (3177393) Maximum Severity: Critical Affected Products: Windows, Office, Skype, Lync, Live Meeting Description: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact: Remote Code Execution Fixes 3 vulnerabilities: CVE-2016-3301, CVE-2016-3303, CVE-2016-3304 Restart Required: May Require Restart
- 16. MS16-099: Security Update for Microsoft Office (3177451) Maximum Severity: Critical Affected Products: Office Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 7 vulnerabilities: CVE-2016-0137, CVE-2016-3312, CVE-2016-3313, CVE-2016-3315, CVE-2016-3316, CVE-2016-3317, CVE-2016-3318 Restart Required: May Require Restart
- 17. MS16-102: Security Update for Microsoft Windows PDF Library (3182248) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-3319 Restart Required: Requires Restart
- 18. CHROME-177: Google Chrome 52.0.2743.116 Maximum Severity: High Affected Products: Google Chrome Description: The stable channel has been updated to 52.0.2743.116 for Windows, Mac, and Linux. This will roll out over the coming days/weeks. Impact: Remote Code Execution Fixes 10 vulnerabilities: CVE-2016-5141, CVE-2016-5142, CVE-2016-5139, CVE-2016-5140, CVE-2016-5145, CVE-2016-5143, CVE-2016-5144, CVE-2016- 5146 Restart Required: Does not require restart
- 19. FF16-012: Firefox 48.0 Maximum Severity: Critical Affected Products: Firefox • Description: • Roar for moar protection against harmful downloads! We've got your back • Process separation (e10s) is enabled for some of you. Like it? Let us know and we'll roll it out to more. • Add-ons that have not been verified and signed by Mozilla will not load • Various security fixes Impact: Remote Code Execution Fixes 24 vulnerabilities: CVE-2016-2835, CVE-2016-2836, CVE-2016-5258, CVE-2016-5259, CVE-2016-5250, CVE-2016-5268, CVE-2016-5267, CVE-2016- 5266, CVE-2016-5265, CVE-2016-5264, CVE-2016-5263, CVE-2016-2837, CVE-2016-5262, CVE-2016-5261, CVE-2016-5260, CVE-2016-5255, CVE-2016-5254, CVE-2016-5253, CVE-2016-0718, CVE-2016-5252, CVE-2016-5251, CVE-2016-2839, CVE-2016- 2838, CVE-2016-2830 Restart Required: Does not require restart
- 20. MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) Maximum Severity: Important Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. Impact: Elevation of Privilege Fixes 4 vulnerabilities: CVE-2016-3308, CVE-2016-3309, CVE-2016-3310, CVE-2016-3311 Restart Required: Requires Restart
- 21. MS16-100: Security Update for Secure Boot (3179577) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker installs a policy affected by the vulnerability onto a target device. Impact: Security Feature Bypass Fixes 1 vulnerabilities: CVE-2016-3320 Restart Required: Does not require restart
- 22. MS16-101: Security Update for Windows Authentication Methods (3178465) Maximum Severity: Important Affected Products: Windows Description: This security update resolves multiple vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a domain-joined system. Impact: Elevation of Privilege Fixes 2 vulnerabilities: CVE-2016-3237, CVE-2016-3300 Restart Required: Requires Restart
- 23. MS16-103: Security Update for ActiveSyncProvider (3182332) Maximum Severity: Priority 2 Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Universal Outlook fails to establish a secure connection. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-3312 Restart Required: Requires Restart
- 24. Between Patch Tuesdays New Product Support: Snagit 13, WinMerge, PeaZip 6, Windows 10 1607 Security Updates: Flash Player (1), iTunes (2), GIMP (1), Chrome (2), Java (1), FileZilla (2), Nitro Pro (1), Skype (1), Wireshark (2), Firefox and Firefox ESR (2), Opera (2), Adobe Acrobat and Reader DC (2), Foxit Reader (1) Non-Security Updates: Microsoft (13), Tomcat (1), Splunk Universal Forwarder (1), CCleaner (1), PDFCreator (1), TeamViewer (1), Snagit (1), WinMerge (1), Java (1), AutoCAD 2016 (1), PeaZip (1), HipChat (2), Citrix VDA Core Services (1), WinSCP (1), Xmind (1), Box Sync (2), Google Drive (2), CDBurnerXP (1), Classic Shell (1), Dropbox (1), Libre Office (2), Foxit Phantom (1), GoodSync (1), Security Tools:
- 26. Resources and Webinars Get Shavlik Content Updates Get Social with Shavlik Sign up for next months Patch Tuesday Webinar Watch previous webinars and download presentation.
- 27. Thank you
Editor's Notes
- NEARLY 50% OPEN E-MAILS AND CLICK ON PHISHING LINKS WITHIN THE FIRST HOUR.
- http://www.forbes.com/sites/gordonkelly/2016/08/09/windows-10-anniversary-update-serious-problems/#29cae5ff756b http://rs.shavlik.com/documents/LSI-1209LegacyShavlikEndOfLifeInfo.pdf http://info.shavlik.com/082816-VMworld-Appointment_Request.html?r=web&_ga=1.190955305.209304491.1400572794
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. User Targeted - Privilege Management Mitigates Impact
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Ensure that your Internet Explorer version is at the latest for the OS you are installed on. Microsoft is only updating the latest version for each supported OS since January 2016. For details please see: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer User Targeted - Privilege Management Mitigates Impact Multiple Microsoft Internet Explorer Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities – Privilege Management Mitigates Impact Multiple Edge Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist when Microsoft Edge improperly accesses objects in memory. The vulnerabilities could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of an enticement in an email or instant message, or by getting them to open an email attachment. The update addresses the vulnerabilities by modifying how Microsoft Edge handles objects in memory. For CVE-2016-3319 only: Remove Microsoft EDGE from the PDF reader default file type association https://technet.microsoft.com/library/security/MS16-096
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Multiple remote code execution vulnerabilities exist when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerabilities could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerabilities: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerabilities, and then convince users to open the document file. The security update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts. In the Affected Software and Vulnerability Severity Ratings table for Microsoft Office, the Preview Pane is an attack vector for CVE-2016-3301, CVE-2016-3303, and CVE-2016-3304. The security update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-3316. The security update addresses the vulnerabilities by correcting how Office handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Microsoft PDF Remote Code Execution Vulnerability - CVE-2016-3319 A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains malicious PDF content and then convince users to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment. The update addresses the vulnerabilities by modifying how affected systems handle objects in memory. For Windows 10 only: Remove Microsoft Edge from the PDF reader default file type association https://technet.microsoft.com/library/security/MS16-102
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Patch is dependent on additional updates. You must also approve the following updates to resolve the dependencies: MSWU-2085 KB3173428 TH2 MSWU-2117 KB3173427 TH1 MSWU-2086 KB3173424 8.1 MSWU-2088 KB3173426 8
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Netlogon Elevation of Privilege Vulnerability – CVE-2016-3300 An elevation of privilege vulnerability exists when Windows Netlogon improperly establishes a secure communications channel to a domain controller. An attacker who successfully exploited the vulnerability could run a specially crafted application on a domain-joined system. To exploit the vulnerability, an attacker would require access to a domain-joined machine that points to a domain controller running either Windows Server 2012 or Windows Server 2012 R2. The update addresses the vulnerability by modifying how Netlogon handles the establishment of secure channels. Kerberos Elevation of Privilege Vulnerability – CVE-2016-3237 An elevation of privilege vulnerability exists in Windows when Kerberos improperly handles a password change request and falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. An attacker who successfully exploited this vulnerability could use it to bypass Kerberos authentication. To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. The update addresses this vulnerability by preventing Kerberos from falling back to NTLM as the default authentication protocol during a domain account password change.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Universal Outlook Information Disclosure Vulnerability - CVE-2016-3312 An information disclosure vulnerability exists when Universal Outlook fails to establish a secure connection. An attacker could use this vulnerability to obtain the username and password of a user. The update addresses the vulnerability by preventing Universal Outlook from disclosing usernames and passwords.
- Sign up for Content Announcements: Email http://www.shavlik.com/support/xmlsubscribe/ RSS http://protect7.shavlik.com/feed/ Twitter @ShavlikXML Follow us on: Shavlik on LinkedIn Twitter @ShavlikProtect Shavlik blog -> www.shavlik.com/blog Chris Goettl on LinkedIn Twitter @ChrisGoettl Sign up for webinars or download presentations and watch playbacks: http://www.shavlik.com/webinars/