Microsoft Fixes 47 Vulnerabilities with September Patch Tuesday

Microsoft patched 47 vulnerabilities as part of 14 security bulletins, seven critical, with its monthly Patch Tuesday updates today.

The company is warning users that if left unpatched, 10 of the issues can lead to remote execution.

The updates resolve issues in Microsoft Windows, Office, Office Service and Web Apps, Exchange, its Internet Explorer and Edge browsers and Adobe Flash Player.

Among the bugs fixed on Tuesday is a 10-year-old vulnerability, CVE-2016-0137, that existed in Detours, Microsoft Office’s hooking engine. The bug, disclosed over the summer and discussed in depth at Black Hat, affected a handful antivirus platforms that use code hooking. The vulnerability allowed hackers to bypass exploit mitigations present in Windows and those third party applications. Researchers at enSilo, who unearthed the bug, disclosed it to Microsoft nine months ago, prior to Black Hat. At the time the researchers warned that hundreds of thousands of users could be affected by the vulnerability.

Udi Yavo, enSilo co-founder and CTO stressed Tuesday that despite being patched, since the vulnerability affects an engine embedded in products, patching it could be an arduous process.

“In the enterprise — with Detours integrated into thousands of products, including Microsoft Office — patching could take up to three weeks, if not longer,” Yavo said, “On top of that, patching this particular vulnerability is even more complicated because fixing it requires a recompilation of each product individually.”

The firm released a tool on Github, Find a Detour, designed to aid security teams in determining which software may be affected by the bug.

Both Tuesday’s Internet Explorer and Edge updates, MS16-104 and MS16105 respectively, are cumulative. The IE update is rated critical for those still running IE 9 or 11 on Windows machines; if exploited, one vulnerability could let an attacker take control of an affected system, assuming a user was logged in with admin rights.

Microsoft is warning that one vulnerability affecting IE and Edge, CVE-2016-3351, discovered by French security researcher Kafeine and Brooks Li of Trend Micro, has not been publicly exposed but is being exploited in the wild.

According to a post published Tuesday afternoon by Kafeine on Proofpoint’s blog, the zero day was being exploited by AdGholas, a group who used steganography to carry out a recent malvertising campaign, and GooNky, another group.

The Edge update, also marked critical, also fixes additional vulnerability that could allow an attacker to gain the same rights as the current user.

Three critical vulnerabilities in Exchange Server, MS16-108, scared Bobby Kuzma, CISSP, Systems Engineer at Core Security, so much, he said Tuesday he cringed when he read them. The bugs could allow remote code execution in Oracle Outside In libraries built into the mail-calendaring server. An attacker could exploit the issue by sending a specially crafted attachment, like a meeting invitation request, to a victim. The issue affects Exchange 2007, 2010, 2013, and the most recent iteration, 2016.

MS16-106, another critical update, affects a graphics component in Windows, GDI, and builds on a patch from last month, MS16-098, and a patch from last year, MS15-097. The update corrects how the kernel-mode driver handles objects in memory.

The update also fixes another critical vulnerability – this one in OLE Automation, an communication mechanism used in its VBScript Scripting Engine. If an attacker got a user running an affected system to visit a malicious site, they could carry out remote code execution. Users have to apply the OLE Automation patch and the cumulative update in order to be protected, Microsoft cautions.

Tuesday’s update also fixes a vulnerability in Silverlight that Microsoft considers important. If an attacker got a victim to navigate to a website that contains a specially crafted Silverlight application, they could exploit a vulnerability in the application framework and carry out remote code execution.

The Flash update bulletin mirrors the one pushed by Adobe earlier this afternoon and fixes vulnerabilities in the software on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. The bulletin will likely be the last Patch Tuesday update that incorporates fixes for Adobe’s Flash Player.

The update will also be Microsoft’s last, at least in its current iteration, for 7, 8.1, Windows Server 2008, and Server 2012 until next month, when it transitions to single rollup. The company announced in August it would start bundling together patches in a single update for the operating systems along with .NET Framework patches starting in October.

Microsoft’s Nathan Mercer confirmed at the time that updates for Service Stack and Adobe Flash will not be included in future rollups.

The move to cumulative updates is mostly being done out of convenience and to cut down on update fragmentation but experts have already called the technique into question, criticizing the could break businesses’ legacy mission critical apps.

“These type of breakage issues could mean less and less companies apply updates because they have to keep business critical applications up and running or risk going out of business,” Chris Goettl, a product manager at Shavlik Technologies told Threatpost on Monday.

Updated on Sept. 15 to clarify CVE-2016-3351 affects both Internet Explorer and Edge