Times Are a-Changin’, But You Still Need to Patch

By Chris Goettl

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October, Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted. 

I went through an exercise earlier today to show what I mean.  

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year, we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post, I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application-compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application-compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that. 

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).  

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.  

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.  

Digging in a layer deeper on higher priority updates: 

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero-day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.  

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.  

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.  

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.  

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.  

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.  

Chris Goettl is the senior product manager for Shavlik’s Protect and Patch product lines. Chris started his career working in IT.  In 2004 he joined the Shavlik team and worked his way from front line support of the products to Systems Engineer, Product Trainer, Product Owner, and for the last three years, as Product Manager.