Microsoft today issued 10 bulletins covering 45 vulnerabilities, including 5 zero days for this month's Patch Tuesday update, the first using the company's new update methodology.
Five of the updates are rated critical, four important and one moderate and cover several Microsoft products including Windows, IE, Edge and Office. Exploitation of any of the the problems rated critical could result in remote code execution, Microsoft reported. The zero day vulnerabilities are contained in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126 and are being exploited in the wild.
“Overall it's a mid-sized B week security update but is critical due to the presence of the large amount of 0-day patches,” Amol Sarwate, director of vulnerability Labs at Qualys said to SCMagazine.com in an email.
The zero day in MS-118 is CVE-2016-3298, a Microsoft browser information disclosure vulnerability; in MA-119 it is CVE-2016-7189, a scripting engine remote code execution vulnerability; MS16-120 has CVE-2016-3393, a Windows graphics component RCE vulnerability; MS16-121 is CVE-2016-7193, a Microsoft Office memory corruption vulnerability; and the last one is CVE-2016-3298 in bulletin MS16-126, the only zero day that is not rated critical, just moderate. It fixes an Internet Explorer information disclosure vulnerability.
“This month sees another pass for the vast majority of Microsoft server admins, since nearly all of the patches released in October are solidly client-side. The only exception to this slate of desktop patches is MS16-121, which affects Microsoft SharePoint Server, by way of Microsoft Office. Left unpatched, an attacker who has the ability to store documents on SharePoint can upload a specially-crafted RTF file to gain remote code execution (RCE) on the affected server," Tod Beardsley, Rapid7's security research manager, told SCMagazine.com in an email.
Microsoft's October Patch Tuesday update is the first to take place using the company's new “monthly rollup” methodology, a system that was not greeted very warmly by industry execs when it was first announced.
Microsoft said in August that it would institute the “monthly rollup” for its October update that will include security issues and reliability issues in a single update instead of putting out a series of updates from which system administrators can pick and choose. Microsoft believes this will make life easier for admins and make Windows more reliable by eliminating update fragmentation.
“The big news this month is of course Microsoft's move towards monthly rollup patches for all OS going back to Windows 7. Moving forward, Microsoft will be releasing two patches for each platform. The first patch contains only security relevant bug fixes while the other patch, marked as a monthly rollup, may also contain fixes for non-security bugs to improve software reliability,” said Craig Young, Tripwire security researcher said to SCMagazine.com in an email.
Young went on to note that this method can cause security teams problems if one aspect of the update is not compatible with their system. This places them in the difficult position of installing software with a known compatibility issue or not installing the update leaving their system vulnerable. Another potential problem is if the all-in-one updates become large the download itself could hog system resources.