Topping the list are the critical rated MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071, all of which if left unpatched would allow remote code execution. The impacted applications are: Windows, Internet Explorer, Edge and Office and Office services and web apps. The remaining 11 bulletins all had an “important” rating.
MS16-071 caused alarm bells to go off for many industry experts.
Bobby Kuzma, systems engineer at Core Security, told SCMagazine.com in an email that he is most concerned about the DNS MS16071 as having the greatest potential for exploitation in the wild.
“DNS MS16071 allows an unauthenticated attacker to send a specially crafted DNS request and would allow them to run the code as the local system account. [An] Interesting corollary to the DNS client vulnerabilities that we saw a few months ago,” he said.
Michael Gray, VP of Technology at Thrive Networks, agreed pointing out that this type of update is outside the norm/
“These types of patches are not typical, but given that most Windows DNS servers are not internet facing the exposure to the vulnerability is greatly decreased,” he told SCMagazine.com in an email.
Qualys CTO Wolfgang Kandek singled out MS16-070 as the one to watch, from the client side, in his monthly Patch Tuesday blog.
“The most important vulnerability is addressed in MS16-070, which fixes a number of problems in Microsoft Office. The most important vulnerability here is CVE-2016-0025 in Microsoft Word RTF format, which yields RCE for the attacker. Since RTF can be used to attack through Outlook's preview pane, the flaw is can be triggered with a simple e-mail without user interaction,” Kandek noted.
Of the remaining updates the MS16-075 and MS16-076, which resolve vulnerabilities in Windows and Netlogon, stood out for Ty Reguly, manager at Tripwire VERT.
“One of the more interesting notes for administrators this month is that MS16-075 and MS16-076 share a security update for the server platforms. This means one less patch to install in those environments. It also addresses a couple of interesting vulnerabilities, particularly with MS16-075. The ability to forward authentication from one service to another is a particularly nasty flaw, however, Microsoft has indicated that the attacker must have authenticated access to the system, mitigating some of the risk,” Reguly told SCMagazine in an email.
Chris Goettl, product manager with Shavlik, also pointed out that MS16-075 (CVE-2016-3225), along with MS16-077 (CVE-2016-3236) and MS16-082 (CVE-2016-3230), that while rated important are all rated as important, but due to the public disclosures, these should warrant more immediate attention, Goettl told SCMagazine.com in an email.