Thursday, December 14, 2017
Home Tags 2016

Tag: 2016

A year ago, IT security researchers hacked the onboard computer in Fiat Chrysler's Jeep Cherokee. Now, the company is launching its first public bug bounty program. Fiat Chrysler Automobiles (FCA) has the inauspicious distinction of being perhaps the first major auto vendor in the world to issue a vehicle recall due to IT security flaws. Now a year after researchers Charlie Miller and Chris Valasek detailed flaws in FCA's vehicles including the Jeep Grand Cherokee that led to the recall of 1.4 million vehicles, FCA is launching a bug bounty program.The bug bounty program will award researchers up to $1,500 per vulnerability that is responsibly disclosed to FCA.

The bug bounty will be operated by third-party bug bounty platform provider Bugcrowd."Bug bounties are incredibly effective, but they aren't a trivial undertaking," Casey Ellis, CEO and founder of Bugcrowd, told eWEEK. "FCA chose the measured approach, along with partnering with Bugcrowd, to make sure their program is successful for both the hackers who participate and FCA itself."Bugcrowd isn't the only vendor that provides managed bug bounty programs. Other vendors include HackerOne, which recently conducted the "Hack the Pentagon" program for the U.S.

Department of Defense.

Ellis said that FCA did its due diligence and settled on Bugcrowd as its vendor of choice. Overall, he noted that as the market for bug bounties evolves, he is seeing adoption of the concept as a whole. "Given that the rising tide floats all boats, that means all of the providers are seeing successful takeup in the parts of the market they've decided to focus on," Ellis said. Bugcrowd tracks the cost of bug bounties in a report it updated in June.

According to the "2016 State of Bug Bounty" report, the average bug bounty payout is now $500."One of the interesting phenomena in bug bounty programs is that it's very easy to boost your rewards up, and quite difficult to bring them down," Ellis said. "On that basis we recommended that FCA starts with rewards that are economically reasonable for them, while providing a good incentive to activate the community."Ellis expects the FCA bug bounty rewards to increase over time. He also noted FCA will pay $1,500 for the most severe vulnerability, although it is at FCA's discretion to go beyond that amount if the company sees fit.Bugcrowd is no stranger to helping the automobile industry—it already runs a bug bounty program for electric car maker Tesla."Tesla started early and has done a phenomenal job in developing a relationship with the hacker community to make their cars safer," Ellis said. "The key difference is in the age of the company, and the number of vehicles on the road.

FCA has been around a long, long time, which is what makes this program both historic and unique."The researchers who first disclosed flaws in FCA vehicles at the Black Hat USA 2015 conference, Miller and Valasek, are speaking at the 2016 event and are scheduled to disclose new automobile flaws on Aug. 4."Marketing to the supply side [i.e., the hackers] is a key part of a successful bug bounty program, and I expect that any buzz generated by the vulnerabilities that Miller and Valasek have discovered will help with overall traction for the program," Ellis said. "As for the vulnerabilities themselves, now Miller and Valasek have a clear vehicle to communicate these to FCA, and a clear expectation set of what they can expect from FCA in return."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Sundown's getting updates, possibly from Yugoslavian crooks Cybercrooks behind the Sundown Exploit Kit are rapidly updating the hacking tool in a bid to exploit a gap in the market created by the demise of the Angler and Nuclear exploit kits. While RIG and Neutrino have been the primary protagonists in the void left by Angler and Nuclear, Sundown is also vying for an increased share in the exploit kit marketplace. Security researchers at Zscaler ThreatLabZ reckon the miscreants behind Sundown have accelerated the evolution of what started out as a fairly rudimentary exploit kit since the beginning of 2016. The crooks behind Sundown used stolen code from the rival RIG exploit kit for a short time before subsequently knitting together their own code, security researchers at cloud security firm Zscaler ThreatLabZ report. Elements of the latest version of the cybercrime toolkit include an image referencing the self-styled Yugoslavian Business Network – likely a reference to the infamous Russian Business Network cybercrime group. Zscaler ThreatLabZ researchers commented: “This Russian Business Network inspired group may or may not be responsible for Sundown, but there does appear to be a German language group offering coding services on forums under the YBN moniker, with many commenters voicing their pleasure with the services.” Since the disappearance of the two top exploit kits, Angler and Nuclear, other kits will be fighting for market share,” Zscaler ThreatLabZ concludes. “Sundown remains technically less sophisticated than others, but … Sundown's authors will surely keep making rapid updates to their code.” Exploit kits in general are used to booby-trap websites in order to sling malware at visiting surfers through drive-by-download attacks.

The tactic relies on exploiting security holes in typically Windows PCs, browser vulnerabilities and (increasingly) Flash flaws. ® Sponsored: Global DDoS threat landscape report
Onion routing for the next generation Next week, boffins will unveil a new anonymous internet tool that they say is both faster and more reliable against attack than Tor, while still keeping online use impenetrable to spies. Dubbed Riffle, the new system was developed by MIT and the École Polytechnique Fédérale de Lausanne in Switzerland.
It uses the same Onion encryption system as Tor, which wraps messages in layers of encryption to preserve privacy. Riffle [PDF], like Tor, also uses servers set up as a mixnet – a way of scrambling the nature of a message as it passes from system to system.

But the special sauce in Riffle is that it toughens up the network against those seeking to track users. Such attacks are a big concern for Tor users, especially since last year researchers at Carnegie Mellon University apparently found a way to deanonymize sections of the Tor network by using a series of infected nodes.

The research team got a reported $1m bounty from the Feds for that research – but Riffle could render the technique moot. "Riffle uses a technique called a verifiable shuffle.

Because of the onion encryption, the messages that each server forwards look nothing like the ones it receives; it has peeled off a layer of encryption," MIT explained. "But the encryption can be done in such a way that the server can generate a mathematical proof that the messages it sends are valid manipulations of the ones it receives.
Verifying the proof does require checking it against copies of the messages the server received.
So with Riffle, users send their initial messages to not just the first server in the mixnet but all of them, simultaneously.
Servers can then independently check for tampering." It's a very secure system, but also one that's very resource-intensive.
So Riffle uses a technique dubbed authentication encryption, whereby every server works together so that as long as one of the routing computers remains uncompromised, the encryption of the message stays secure. "The idea of mixnets has been around for a long time, but unfortunately it's always relied on public-key cryptography and on public-key techniques, and that's been expensive," says Jonathan Katz, director of the Maryland Cybersecurity Center and a professor of computer science at the University of Maryland. "One of the contributions of this paper is that they showed how to use more efficient symmetric-key techniques to accomplish the same thing.

They do one expensive shuffle using known protocols, but then they bootstrap off of that to enable many subsequent shufflings." As a result, the system is both strong and efficient.

The development team says it takes a tenth of the resources to send large files as other anonymizing services and provides much better protection against active and passive monitoring. Riffle will be released at next week's Privacy Enhancing Technologies Symposium in Germany. ® Sponsored: 2016 Cyberthreat defense report
One of the messes munched this Patch Tuesday is very nasty, for you and Redmond Among the Microsoft messes addressed in latest round of Patch Tuesday updates is a real doozy that allows remote attackers to compromise Windows machines thanks to a critical security vulnerability affecting printer drivers. The flaw is found in all desktop Windows since Vista and Windows Server since 2008 and means malvertising or malicious or hacked sites could quietly deliver malicious printer drivers. That attack is possible because malicious code can be injected into a printer spooler service which fails (CVE-2016-3238) to properly validate code. Targeted printers can be targeted through three options including one of a host of vulnerabilities affecting most printers, through common default logins, or by spoofing a fake printer to lure users to connect to it. Vectra researcher Nick Beauchesne discovered and reported the flaws to Microsoft. He did not disclose proof-of-concept exploit code but did detail the vulnerability including recommended attack vectors in a technical analysis. Organisations should assume the vulnerability will soon be used by criminals. Vectra's chief security officer Gunter Ollmann described the exploit as a "powerful" watering hole attack that helps hackers more easily move to other hosts. "You may have travelling employees who would show up and expect to print … leading to an issue where users have to quickly connect to a printer in order to be able to fully require the assistance or authorisation of an administer," Ollmann says. "If an attacker gets inside the network and is able to replace the valid approved driver (delivered on demand) with a malicious one that driver will be delivered to anyone who tries to connect to a printer. "That malicious code will be run without checks at the system level … which allows attackers to open remote shells at a system level." Ollmann says the vulnerability is "incredibly important" because it is good ammunition for targeted attacks: it is difficult to detect, is effective at gaining an initial infection, and helps attackers' lateral movement.
It is probably the gnarliest of Microsoft's fixes for 52 CVE-listed vulnerabilities. Of those 49 grant hackers remote code execution. Adobe meanwhile has slapped some of its own Flash fixes to celebrate Patch Tuesday pain day. Daring users running the ravaged runtime need to patch Windows, OS X, Linux, and ChromeOS versions of Flash to avoid becoming dinner for exploit kits, or just uninstall it. Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ® Sponsored: 2016 Cyberthreat defense report
Man behind exposed.su document dump and swatting rampage jailed The New York man behind a 2014 data dump site exposed.su has been sentenced to a year in prison, plus 12 months for time already served, for doxing high-profile figures including First Lady Michelle Obama, Presidential candidate Donald Trump, and artist Jay Z, and placing dozens of highly-dangerous swatting calls. Mir Islam, 22, exposed data on some 50 public figures including former FBI director Robert Mueller, former Central Intelligence Agency Director John Brennan, and celebrities Ashton Kutcher, Beyonce, and Tom Cruise. Their personal information was uploaded to exposed.su triggering a MediaOutrageStormTM. KrebsonSecurity reported at the time that the hackers were obtaining cheap credit reports using information provided by the sssndob.ru service. Swatting is the practice of calling police to report bogus threats at a victim's location, an action that often results in the appearance of heavily armed SWAT officers. Islam pleaded guilty on 6 July last year to three charges including one count of conspiracy to commit a range of federal offenses, including identity theft; access device fraud; social security number misuse; computer fraud; wire fraud; assaulting federal officials; and interstate transmission of threats.

The other charges included one count of threatening and conveying false information concerning the use of explosives and one count of cyber-stalking. “The crimes committed by this defendant violated the privacy of dozens of people, fostered identity theft, and endangered the safety of many others,” US Attorney Channey Phillips says. “Mir Islam put people at risk on the internet and in their own homes, placed responding police officers at risk, created a dangerous situation on a college campus, caused substantial emotional distress to numerous victims, and diverted law enforcement from work they could be doing to protect the public. "Today’s sentence reflects the seriousness of his crimes and hopefully will deter others from similar actions.” KrebsonSecurity reports Islam's defence argued he suffered from multiple psychological disorders and that the crimes were perpetrated from a sense of “anarchic libertarianism” intended to expose government overreach on consumer privacy and use of force. Islam was previously arrested with 24 others under the FBIs Carder Profit sting, but was sentenced to a mere day in jail. The hacker admits to running Exposed.su while cooperating with police during the time of the Carder Profit arrests, Krebs on Security reports. Islam was re-arrested in September 2013 for violating the terms of his parole, and for the swatting and doxing attacks to which he pled guilty. ® Sponsored: 2016 Cyberthreat defense report
PIA tells users 'we logged nothing', deletes Russian servers from clients VPN provider Private Internet Access (PIA) says its servers have been seized by the Russian government, so has quit the country in protest at its privacy laws. The company has sent an e-mail to users claiming some of its servers have been seized, even though the enforcement regime – in which all Internet traffic has to be logged for a year – doesn't come into effect until September 2016. A paying user has forwarded the company's e-mail to The Register, which we reproduce at the bottom of this story.

The customer also told us the Russian gateways disappeared automatically from “older versions of the PIA client” in the last week. Russia has been progressively cracking down on Internet services with a particular focus on encryption, and in June laws landed in the Duma that would also outlaw apps like Messenger and WhatsApp. The crackdown already demands registration of any blog, publisher or social network site with more than 3,000 readers, and requires them to store data on Russian soil. The e-mail, which is available in 'View as Web Page' mode, says: “The Russian Government has passed a new law that mandates that every provider must log all Russian internet traffic for up to a year. We believe that due to the enforcement regime surrounding this new law, some of our Russian Servers (RU) were recently seized by Russian Authorities, without notice or any type of due process. We think it’s because we are the most outspoken and only verified no-log VPN provider. “Luckily, since we do not log any traffic or session data, period, no data has been compromised. Our users are, and will always be, private and secure. “Upon learning of the above, we immediately discontinued our Russian gateways and will no longer be doing business in the region. “To make it clear, the privacy and security of our users is our number one priority.

For preventative reasons, we are rotating all of our certificates.

Furthermore, we’re updating our client applications with improved security measures to mitigate circumstances like this in the future, on top of what is already in place.
In addition, our manual configurations now support the strongest new encryption algorithms including AES-256, SHA-256, and RSA-4096. “All Private Internet Access users must update their desktop clients at https://www.privateinternetaccess.com/pages/client-support/ and our Android App at Google Play. Manual openvpn configurations users must also download the new config files from the client download page. “We have decided not to do business within the Russian territory. We’re going to be further evaluating other countries and their policies. “In any event, we are aware that there may be times that notice and due process are forgone. However, we do not log and are default secure against seizure. “If you have any questions, please contact us at helpdesk@privateinternetaccess.com. “Thank you for your continued support and helping us fight the good fight.” ® Sponsored: Global DDoS threat landscape report
Mozilla's safer-C programming language used to shore up media wrangling code Mozilla says it will next month ship the first official Firefox build that sports code written in its more-secure-than-C Rust programming language. The Firefox 48 build – due out August 2 – will include components developed using Rust, Moz's C/C++-like systems language that focuses on safety, speed and concurrency. It's hoped the Rust-written code will avoid the usual programming blunders present in other web browsers – typically use-after-free() and heap corruption bugs – which malicious websites exploit to install malware on computers. For one thing, Rust's toolchain is extremely strict and refuses to build source that potentially suffers from data races, buffer overflows and so on.

Therefore, it should be a lot harder to attack the Rust-hardened sections of Firefox. The first use of Rust will be in the media parser tools, where the security strengths of the language are best put to use. Mozilla believes the memory safety features of Rust will do the most good when handling embedded media files, a favorite ammunition for drive-by malware attacks. "Media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in web browsers' implementation code," wrote Mozilla director of strategy Dave Herman. "This makes a memory-safe programming language like Rust a compelling addition to Mozilla's tool-chest for protecting against potentially malicious media content on the web." Herman noted that early tests on the code have shown that the new Rust components run at identical speeds to their C++ predecessors, meaning users should see little to no difference in performance from the move. Meanwhile, the new Firefox build should, in theory, become more secure. Going forward, Mozilla says it is working on nightly builds of Servo, a Rust-written browser engine that uses Moz's C/C++ SpiderMonkey JavaScript engine. Meanwhile, Rust was recently updated to version 1.10. "Rust itself is the product of a tremendous, vibrant community," Herman declared. "None of this work would have been possible without the incredible contributions of issues, design, code, and so much more of Rustaceans worldwide." ® Sponsored: 2016 Cyberthreat defense report
Plus: 52 security bugs fixed in Adobe Flash Microsoft will fix critical holes in Internet Explorer, Edge, Office and Windows with this month's Patch Tuesday security bundle. Meanwhile, Adobe has patched dozens of exploitable vulnerabilities in its Flash player. Redmond's July release includes 11 sets of patches, six rated as "critical" and five classified as "important." The highlights are: a BitLocker device encryption bypass, evil print servers executing code on vulnerable machines, booby-trapped webpages and Office files injecting malware into PCs, and the usual clutch of privilege elevation flaws. Get patching now before miscreants develop and distribute code exploiting the programming blunders.

As far as we can tell, none of the bugs below are being exploited in the wild right now. MS16-084 is a cumulative fix for Internet Explorer that addresses 15 CVE-listed vulnerabilities, including five memory corruption bugs and four scripting engine memory corruption bugs that can be exploited to execute code remotely on vulnerable machines.
In other words, opening up a booby-trapped website that exploits these flaws could lead to malware infecting your PC. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user," said Microsoft. MS16-085 is also a cumulative browser fix, this time for the new Edge browser.

Among the 13 CVE-listed holes in Edge are five remote code execution flaws in the Chakra JavaScript engine.

Also patched are three information disclosure flaws, three spoofing vulnerabilities, and two other memory corruption flaws.

Again, a malicious webpage could use these security holes to infect PCs with software nasties. MS16-088 patches seven memory corruption vulnerabilities in Office.

The flaws could allow remote code execution if opened as local documents or information disclosure if targeted at SharePoint or Office Web Apps server. Office for Mac users will receive an update as well.

Basically, malicious software can be smuggled in Office documents and will infect computers when opened. MS16-094 remedies a security bypass flaw in Windows Secure Boot.

An attacker with admin or physical access – such as a thief or someone who has seized your PC – can exploit the vulnerability to install a policy that bypasses BitLocker and disk encryption. "A security feature bypass vulnerability exists when Windows Secure Boot improperly applies an affected policy," Microsoft explained. "An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device.
In addition, an attacker could bypass the Secure Boot Integrity Validation for BitLocker and the Device Encryption security features. "To exploit the vulnerability, an attacker must either gain administrative privileges or physical access to a target device to install an affected policy.

The security update addresses the vulnerability by blacklisting affected policies." MS16-093 is Microsoft's distribution of this month's Adobe Flash Player security fixes.
In all, 24 CVE-listed flaws are addressed, including remote code execution vulnerabilities. Users running Windows 8.1 and later and Server 2012 will get this update automatically. Older versions will need to get the update from Adobe (more details below). MS16-086 covers a single remote code execution flaw in the JScript and VBScript engines for Windows Vista and Server 2008. Later versions are not affected. "The vulnerability could allow remote code execution if a user visits a specially crafted website," admitted Microsoft. MS16-090 addresses six elevation of privilege vulnerabilities in all supported versions of Windows and Windows Server.

An attacker can run a specially crafted application that exploits the kernel-level flaws to increase their user permissions and take over the system. MS16-087 is an update for flaws in the print spooler component of Windows: a man-in-the-middle attacker on a network can execute code on a remote vulnerable machine, or elevate their privileges if already running code on a system.

Essentially, a rogue printer server on a network can inject malware into connected PCs.

All supported versions of Windows and Windows Server are vulnerable. "A remote code execution vulnerability exists when the Windows Print Spooler service does not properly validate print drivers while installing a printer from servers," Microsoft confessed. "An attacker who successfully exploited this vulnerability could use it to execute arbitrary code and take control of an affected system. "An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system.

An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted script or application." MS16-089 fixes a single information disclosure flaw triggered when the Windows 10 kernel improperly handles objects in memory. MS16-091 is a patch for an information disclosure flaw in the .NET Framework triggered by running an XML file on a web application.

The bug is found in all supported versions of Windows and Windows Server. MS16-092 addresses two flaws in the Windows kernel, one that discloses information about the kernel and another bypassing security access checks.

All supported versions of Windows and Windows Server should be updated. Meanwhile, Adobe is applying a few more strips of duct tape to holes in the internet's screen door with the July Flash Player update. Windows, OS X, Linux, and ChromeOS users should check to make sure they have the latest version of the software. In total, this month's patch remedies 52 CVE-listed vulnerabilities.
If targeted, 49 of those would allow remote code execution, while the other three would allow information disclosure and memory leaks. Adobe has also released an update for Acrobat/Reader and XMP Toolkit for Java. ® Sponsored: 2016 Cyberthreat defense report
libbpg contains a type confusion vulnerability that leads to out of bounds write Original Release date: 12 Jul 2016 | Last revised: 12 Jul 2016 Overview libbpg is a library for the BPG graphics format. libbpg 0.9.5 through 0.9.7 may allow a crafted f...
The following table provides an exploitability assessment of each of the vulnerabilities addressed this month.

The vulnerabilities are listed in order of bulletin ID then CVE ID. Only vulnerabilities that have a severity rating of Critical or Important in the bulletins are included.Use this table to learn about the likelihood of code execution and denial of service exploits within 30 days of security bulletin release, for each of the security updates that you may need to install. Review each of the assessments below, in accordance with your specific configuration, to prioritize your deployment of this month's updates.

For more information about what these ratings mean, and how they are determined, please see Microsoft Exploitability Index.In the columns below, "Latest Software Release" refers to the subject software, and "Older Software Releases" refers to all older, supported releases of the subject software, as listed in the "Affected Software" and "Non-Affected Software" tables in the bulletin. CVE ID                     Vulnerability Title Exploitability Assessment forLatest Software Release Exploitability Assessment forOlder Software Release Denial of ServiceExploitability Assessment MS16-084: Cumulative Security Update for Internet Explorer (3169991) CVE-2016-3204 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3240 Internet Explorer Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3241 Internet Explorer Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3242 Internet Explorer Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3243 Internet Explorer Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3245 Internet Explorer Security Feature Bypass Vulnerability 3 - Exploitation Unlikely 3 - Exploitation Unlikely Not applicable CVE-2016-3248 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3259 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3260 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3261 Internet Explorer Information Disclosure Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3264 Microsoft Browser Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3273 Microsoft Browser Information Disclosure Vulnerability 3- Exploitation Unlikely 3- Exploitation Unlikely Not applicable CVE-2016-3274 Microsoft Browser Spoofing Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3276 Microsoft Browser Spoofing Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3277 Microsoft Browser Information Disclosure Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable MS16-085: Cumulative Security Update for Microsoft Edge (3169999) CVE-2016-3244 Microsoft Edge Security Feature Bypass 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3246 Microsoft Edge Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3248 Scripting Engine Memory Corruption Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3259 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3260 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3264 Microsoft Browser Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3265 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3269 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable CVE-2016-3271 Scripting Engine Information Disclosure Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3273 Microsoft Browser Information Disclosure Vulnerability 3 - Exploitation Unlikely 4 - Not affected Not applicable CVE-2016-3274 Microsoft Browser Spoofing Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3276 Microsoft Browser Spoofing Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable CVE-2016-3277 Microsoft Browser Information Disclosure Vulnerability 1 - Exploitation More Likely 4 - Not affected Not applicable MS16-086: Cumulative Security Update for JScript and VBScript (3169996) CVE-2016-3204 Scripting Engine Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable MS16-087: Security Update for Microsoft Print Spooler (3170005) CVE-2016-3238 Windows Print Spooler Remote Code Execution Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3239 Windows Print Spooler Elevation of Privilege Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable MS16-088: Security Update for Microsoft Office (3170008) CVE-2016-3278 Microsoft Office Memory Corruption Vulnerability 3 - Exploitation Unlikely 3 - Exploitation Unlikely Not applicable CVE-2016-3279 Microsoft Office Security Feature Bypass Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3280 Microsoft Office Memory Corruption Vulnerability 4 - Not affected 2 - Exploitation Less Likely Not applicable CVE-2016-3281 Microsoft Office Memory Corruption Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3282 Microsoft Office Memory Corruption Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3283 Microsoft Office Memory Corruption Vulnerability 4 - Not affected 1 - Exploitation More Likely Not applicable CVE-2016-3284 Microsoft Office Memory Corruption Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable MS16-089: Security Update for Windows Secure Kernel Mode (3170050) CVE-2016-3256 Windows Secure Kernel Information Disclosure Vulnerability 2 - Exploitation Less Likely 4 - Not affected Not applicable MS16-090: Security Update for Windows Kernel-Mode Drivers (3171481) CVE-2016-3249 Win32k Elevation of Privilege Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Permanent CVE-2016-3250 Win32k Elevation of Privilege Vulnerability 3 - Exploitation Unlikely 1 - Exploitation More Likely Permanent CVE-2016-3251 Win32k Information Disclosure Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3252 Win32k Elevation of Privilege Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3254 Win32k Elevation of Privilege Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable CVE-2016-3286 Win32k Elevation of Privilege Vulnerability 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable MS16-091: Security Update for .NET Framework (3170048) CVE-2016-3255 .NET Information Disclosure Vulnerability 3 - Exploitation Unlikely 2 - Exploitation Less Likely Not applicable MS16-092: Security Update for Windows Kernel (3171910) CVE-2016-3258 Windows File System Security Feature Bypass 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable CVE-2016-3272 Windows Kernel Information Disclosure Vulnerability 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not applicable MS16-093: Security Update for Adobe Flash Player (3174060) APSB16-25 See Adobe Security Bulletin APSB16-25 for vulnerability severity and update priority ratings. Not applicable Not applicable Not applicable MS16-094: Security Update for Secure Boot (3177404) CVE-2016-3287 Secure Boot Security Feature Bypass 1 - Exploitation More Likely 1 - Exploitation More Likely Not applicable
The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note The vulnerabilities discussed in this bulletin affect Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5.

An update is available for Windows Server 2016 Technical Preview 5 via Windows Update. However, no update is available for Windows Server 2016 Technical Preview 4.

To be protected from the vulnerability, Microsoft recommends that customers running Windows Server 2016 Technical Preview 4 upgrade to Windows Server 2016 Technical Preview 5.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).
Security Update for Windows Kernel (3171910)Published: July 18, 2016 | Updated: July 18, 2016Version: 1.1This security update resolves vulnerabilities in Microsoft Windows.

The most severe of the vulnerabilities could allow security feature bypass if the Windows kernel fails to determine how a low integrity application can use certain object manager features.This security update is rated Important for all supported releases of Microsoft Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

For more information, see the Affected Software and Vulnerability Severity Ratings section.The security update addresses the vulnerabilities by adding a validation check to the Windows kernel that determines how a low integrity application can use certain object manager features, and by correcting how the Windows kernel handles certain page fault system calls.

For more information about the vulnerabilities, see the Vulnerability Information section.For more information about this update, see Microsoft Knowledge Base Article 3171910.The following software versions or editions are affected.
Versions or editions that are not listed are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability.

For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary.[1]This update is only available via Windows Update.[2]Windows 10 updates are cumulative.

The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates.

The updates are available via the Microsoft Update Catalog.Note.The vulnerabilities discussed in this bulletin affect Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5.

An update is available for Windows Server 2016 Technical Preview 5 via Windows Update. However, no update is available for Windows Server 2016 Technical Preview 4.

To be protected from the vulnerabilities, Microsoft recommends that customers running Windows Server 2016 Technical Preview 4 upgrade to Windows Server 2016 Technical Preview 5.*The Updates Replaced column shows only the latest update in any chain of superseded updates.

For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).I am running Windows Server 2012.

Do I need to install the 3170377 and 3172727 updates in a particular order?
 No.

The 3170377 and 3172727 updates both contain the same components and can be installed in any order.
Installing one and then the other without a system restart in between is allowed; however, if you install the 3172727 update first and then restart the system, subsequent attempts to install the 3170377 update will display the message, “The update is not applicable to your computer." This is because the 3172727 update supersedes the 3170377 update by design.Does this update contain any additional security-related changes to functionality? Yes.
In addition to the changes that are listed for the vulnerabilities described in this bulletin, this update includes defense-in-depth updates to help improve security-related features.Windows File System Security Feature Bypass – CVE-2016-3258A security feature bypass vulnerability exists in the Windows kernel that could allow an attacker to exploit time of check time of use (TOCTOU) issues in file path-based checks from a low integrity application.

An attacker who successfully exploited this vulnerability could potentially modify files outside of a low integrity level application.To exploit the vulnerability, an attacker would need to take advantage of another vulnerability to compromise the sandbox process from a low integrity application.

The security update addresses the vulnerability by adding a validation check on how a low integrity application can use certain object manager features.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows File System Security Feature Bypass CVE-2016-3258 No No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.Windows Kernel Information Disclosure Vulnerability – CVE-2016-3272An information disclosure vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle certain page fault system calls.

An authenticated attacker who successfully exploited this vulnerability could disclose information from one process to another.To exploit the vulnerability, an attacker would have to either log on locally to an affected system, or convince a locally authenticated user to execute a specially crafted application.

The update addresses this vulnerability by correcting how the Windows kernel handles certain page fault system calls.The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows Kernel Information Disclosure Vulnerability CVE-2016-3272 Yes No Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability.WorkaroundsMicrosoft has not identified any workarounds for this vulnerability.For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See Acknowledgments for more information.The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose.
In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.V1.0 (July 18, 2016): Bulletin published. V1.1 (July 18, 2016): Bulletin revised to add an Update FAQ to inform customers running Windows Server 2012 that they do not need to install the 3170377 and 3172727 updates in a particular order. Page generated 2016-07-18 11:04-07:00.