September 2016 Security Updates Summary

Earlier today Microsoft and Adobe released their scheduled monthly security updates.

Microsoft’s updates consist of 14 security bulletins. These bulletins address 50 vulnerabilities more formally known as CVEs (defined)(not including the Adobe vulnerabilities mentioned below).

Only the Internet Explorer security bulletin currently lists a Known Issue (discussed below). However as always please double check the IT Pro Patch Tuesday blog to ensure that there are no issues being experienced before you begin installing the new updates. At this time it does not list any Known Issues.

Update: 15th September 2016:

It has been reported that the security updates for Internet Explorer MS16-104 and Microsoft Edge (MS16-105) patches a zero-day (defined) vulnerability that has been publicly exploited. Further details of this vulnerability have since been disclosed and are available in this ThreatPost article.

The Known Issue for this update now mentions “Microsoft is aware of limited issues in which an ActiveX install may fail when using the ActiveX Installer Service (AXIS) with Internet Explorer 10 or Internet Explorer 11.” However, at this time no workaround or solution is available.

Moreover, the Microsoft Office security bulletin resolves an Important severity level ASLR (defined) bypass designated CVE-2016-0137 within the Microsoft Detours DLL (defined) that applications such as Microsoft App-V use. This issue has the potential to affect a lot of other 3rd party products and is discussed in more detail in this ThreatPost article. Further information/resources concerning this vulnerability are available on this GitHub page. A possibly related issue was found in Nvidia’s graphics driver (defined) (within detoured.dll) late last year which they issued a patch for.

This month also marks the final month that Windows 7 and Windows 8.1 will receive security updates packaged in the traditional format. From October the updates will be offered in packages similar to that of Windows 10 which will mean fewer individual updates will need to be installed to bring systems up to date. The updates will also replace updates from previous months again reducing the volume of updates needing to be installed. There will be single security and reliability updates.

While I am in favour of the simplification of updates, the “Known Issues” that I mention each month will become even more important since you won’t have the option of choosing which updates to install. This will lead to more outages and compatibility issues especially for corporate environments which is discussed in this article. Microsoft provides more details of these changes in their Windows IT Pro blog post. This additional Microsoft blog post and this Windows IT Pro blog post provide further coverage.

Further to this, next month Microsoft plans to begin to block out dated versions of Adobe Flash Player ActiveX controls (defined). Further details are available in their blog post.

====================
For Adobe’s scheduled released they made available an updated version of Flash Player that addresses 29 priority 1 vulnerabilities.

Depending on which version of Flash Player you have, please review the Adobe security bulletin or Microsoft bulletin as appropriate and apply the recommended updates. Google Chrome users will have the updated installed automatically alongside the updated version of Google Chrome released today.

Adobe also released a security bulletin for Adobe AIR SDK and compiler (AIR is its application runtime) to address a single priority 3 vulnerability. More information as well as installation steps are available in the relevant security bulletin. Finally, Adobe released a security bulletin for Digital Editions that addresses 8 priority 3 vulnerabilities.

If you use any of these products, please review the security bulletins linked to above and apply the necessary updates.

You can monitor the availability of security updates for the majority of your software from the following websites (among others) or use Secunia PSI:

—————
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General Software, Security Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by making a donation.

—————
If you use any of the above software, please install the appropriate updates as soon as possible. Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

To assist with making the best use of your time when deploying these updates, I will prioritise the updates for you below:

With Adobe’s Flash Player update (to version 23.0.0.162) addressing 29 critical vulnerabilities, this should be installed first if you already have a previous version installed.

For the Microsoft updates, for corporate environments/server operating systems please first install the Microsoft Exchange update (if you use it within your environment). This should be followed by Microsoft Office, Security Update for Windows (MS16-110) and the Microsoft Graphics Component.

For desktop workstations / small business environments please make Internet Explorer, Microsoft Edge, Microsoft Office and the Microsoft Graphics Component your first priorities due to their severities and prevalent use. The remaining security updates can be installed when you have the time to do so. Detailed information on the contents of each security bulletin is available in this Computerworld article (a new article is published each month within their Patch Tuesday Debugged column).

Another security pre-caution that you may wish to take if you have Microsoft EMET (please ensure your version of EMET is the most recent version 5.5) installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of the July 2015 Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s