Security Experts:

Microsoft Patches Flaws in Windows, Office, Browsers

The nine security bulletins released by Microsoft for August 2016 patch a total of 27 critical and important vulnerabilities in Windows, Internet Explorer, Edge and Office.

The Internet Explorer and Edge bulletins (MS16-095 and MS16-096) address nine and eight critical vulnerabilities, respectively. Six of these flaws affect both web browsers. The security holes can be exploited for remote code execution and information disclosure by tricking the targeted user into visiting a malicious website.

“Buried within the Edge and IE bulletins there is an interesting information disclosure vulnerability allowing which could give attackers a good bit of insight into victim PCs. Identified as CVE-2016-3329, Microsoft notes that attacker controlled content would actually be able to determine the existence of specific files on a victim’s machine,” Craig Young, security researcher at Tripwire, told SecurityWeek. “While this is certainly not as bad as a code execution bug or an arbitrary file read issue, it does put the attacker in a unique situation to fingerprint victims and potentially identify vulnerable software on the target not generally exposed to the web browser.”

One of the critical Windows bulletins, MS16-102, patches a remote code execution vulnerability caused due to the Windows PDF Library’s improper handling of objects in memory.

The flaw, tracked as CVE-2016-3319, can be easily exploited against Windows 10 users who have set Edge as the default browser. In this case, the weakness can be exploited simply by getting the victim to open a website containing malicious PDF content – this type of content is not rendered automatically by browsers in other versions of Windows.

MS16-097 resolves remote code execution vulnerabilities in Windows, Office, Skype for Business and Lync. The flaws are caused due to the way the Windows font library handles specially crafted embedded fonts.

MS16-099 also addresses critical flaws in Office – the most severe can be leveraged for remote code execution by getting the victim to open a malicious file.

Despite being rated only important, experts believe MS16-103 is also an interesting bulletin. It fixes an information disclosure vulnerability in Universal Outlook that can be leveraged to obtain usernames and passwords.

“[Universal Outlook] is a special version of Outlook designed to run in tablet mode,” Michael Gray, VP of Technology at Thrive Networks, told SecurityWeek. “The only time we’ve seen anyone use that is by getting into it by accident. Given it has a bug and there is no companion update for ‘regular’ Outlook, I would be concerned that Microsoft is using a different codebase for the Universal application.”

Microsoft’s advisories indicate that none of these vulnerabilities have been publicly disclosed or exploited in the wild.

The company also informed users on Tuesday that the RC4 cipher is no longer supported in Internet Explorer 11 and Edge due to the fact that it’s not cryptographically secure.

No security updates for Adobe Flash Player

Surprisingly, Adobe says it’s not planning to release a security update for Flash Player this month. The company has issued hotfixes for Adobe Experience Manager to address four important vulnerabilities that can lead to cross-site scripting (XSS) attacks and information disclosure.

Related: New Windows Attack Turns Evil Maid into Malicious Butler

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.