Security Experts:

Connect with us

Hi, what are you looking for?



July 2016: A Perfect Vulnerability Storm

It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer.

It turned out to be a tricky month for security admins to take that long-awaited summer vacation because July was one of the busiest months in recent memory in terms of vulnerabilities. The vulns were copious and severe, and all the big vendors seemed to suffer. And while every organization strives to keep all of their technology patched and updated, months like this one remind us that it is virtually impossible to be perfect. Let’s take a quick look at all the recent action and recap what you need to know.

Microsoft’s 20-Year Vulnerability

Microsoft’s Patch Tuesday release contained several important fixes, but one in particular is likely to keep security teams busy patching Windows machines in their networks. MS16-087 is one of those scary vulnerabilities that has more or less been sitting in plain sight for the better part of two decades, and it creates a potential goldmine for attackers.

The issue centers around the way the Windows operating system deals with printers. To make it easy for users to find and use printers, the Windows operating system trusts the printer to automatically deliver the appropriate printer driver to the end-user machine, where the OS would dutifully install the driver. The problem is that these drivers were not being checked, not generating User Account Control messages, and were system-level drivers. 

As a result, if an attacker could compromise a printer – or simply impersonate one – the attacker could deliver code to the victim that the machine would trust and run with system-level privileges.  The attacker could run this scam repeatedly as users connect to the printer, effectively turning it into a malicious watering-hole to progressively infect host after host in the network. Making matters worse, the same mechanism works over web-based connections using the MS-WPRN protocol, enabling users to be infected over the Internet. A deeper dive into the issue is available here.

The staggering number of end-user laptops running Windows ensures that this vulnerability will require a lot of time and attention from security teams. Virtually every version of Windows was affected reaching back Windows 95, so pretty much everything that runs Windows will need to be patched, and that is a lot of cats to herd. 

Oracle’s Colossal CPU

Oracle posted the largest Critical Patch Update in the company’s history to address a total of 276 vulnerabilities. The issues were spread across a wide variety of Oracle products and technologies including Java, Oracle E-business Suite, Oracle Retail Applications, Fusion Middleware, and Supply Chain Products Suite. Of the 276 vulnerabilities, 159 were remotely exploitable without authentication, and 28 total vulns had a CVSS score over 9.0. The combination of high volume, severity, and the importance of the affected systems make this batch of vulnerabilities a very high priority for enterprises that use these products.

Flash Brings Up the Rear

While it didn’t keep up with the scale of Microsoft or Oracle, Adobe released 52 fixes for weaknesses in the much-maligned Flash Player. Of the 52 vulns, 33 of them enabled remote code execution. Much like the Microsoft bug discussed earlier, the ubiquity of Flash support within modern browsers creates a massive attack surface using end-users machines. It is incredibly difficult for security teams to track and ensure that individual plugins on a user’s device remains up to date. And once again, this leads to plenty of weak spots that attackers can take advantage of.

Altogether, this batch of vulnerabilities underlines the challenge of patching modern networks. Internet-facing plugins like Flash provide a large attack surface that attackers can use to get a foot in the door. Alternatively, attackers could use the Microsoft Point-and-Print vulnerability to both infect a user from the Internet, and then spread laterally within the network by turning a printer into a malicious watering hole. The Oracle vulnerabilities affect a wide variety of mission-critical systems that enterprises rely on in order to function.

July was a perfect storm where everything from the end-user’s browser to the underlying enterprise software for mission-critical systems received a black eye. It is also a reminder that while patch management is critical to security, it is a task where it is almost impossible to be perfect. And when our preventative measures can’t be perfect we have to depend on a layered approach to security to weather the storms.

Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.