Welcome to the first Trend Micro Zero Day Initiative (ZDI) monthly patch review blog. This month, we put additional context around the major security patches released from Microsoft and Adobe.
As the crisp autumn air descends upon us, it is time again to take a look at the security patches released by Adobe and Microsoft for the month of October, 2016.
Adobe Patches for October 2016
Adobe released three updates for October. The first update covers 12 CVEs in Flash – two of which were submitted through the ZDI program. While the update is marked is critical, there’s no indication any of these bugs are being actively exploited. Adobe also released a critical patch for Acrobat and Reader fixing a whopping 71 CVEs – 32 of which came through the ZDI program. Similar to Flash, none of these issues are reported to be actively exploited. Two of these bugs – CVE-2016-6944 and CVE-2016-6945 – were submitted by ZDI’s own AbdulAziz Hariri and are October’s Bug of the Month.
Bug of the Month
This month we focus on CVE-2016-6944 – a use-after-free (UAF) bug in Acrobat that allows remote code execution in the context of the logged-on user. To trigger this bug, an attacker would force a PDF document to open a search box and then exit Reader while the search dialog is still open. This triggers the UAF since Reader fails to properly validate the existence of an object before attempting to perform operations on that object. What makes this bug interesting is that once the Search box is opened, even if it later closed, it will keep a dangling pointer. This remains true even if the user continued working with Adobe reader taking action like opening or closing documents. The bug will be triggered once the whole application is closed. This gives the attack somewhat of a stealthy, time-bomb taste – an attacker can trigger the exploit some time before the user finally closes the application to complete the code execution.
Adobe’s final bulletin for October resolves an unquoted search path vulnerability in the Creative Cloud Desktop Application. The lone CVE could allow a local privilege escalation and is not reported to being publicly known or exploited.
In the world of Microsoft updates, we have entered the world of the roll-up. It wasn’t quite clear how the security bulletins would change with this new servicing strategy, but thankfully, individual components are still listed and documented. This means that October brings 10 new bulletins – 5 Critical, 4 Important, and 1 Moderate – resolving 44 CVEs in Internet Explorer, Edge, Office, and Windows.
Microsoft Patches for October 2016
What’s interesting this month is that five different CVEs are listed as being under active attack:
If you have to prioritize your testing, focusing on MS16-118, -120 and -121 is a good place to start. They all have active attacks and impact widely used components.
There are multiple kernel-related issues this month as well. MS16-123 looks like a standard updated for kernel-mode drivers (e.g. win32k.sys), but MS16-124 seems to more directly impact the registry. Many sensitive items exist within the Windows registry, which makes it an attractive target to attackers. Microsoft also released a Critical update for the Windows Video Control component, an Important update for the Windows 10 Diagnostic Hub, and the Microsoft version of the aforementioned Flash update to round out this month’s bevy of updates. No new Microsoft advisories were released this month.
Finally, although we alluded to it earlier, we would be remiss if we didn’t spend some time discussing the new Microsoft roll-up policy for Windows 7 and newer platforms. Instead of individual updates, these platforms will now receive cumulative roll-ups for both security and non-security fixes. Much has already been written about this change, and details are found here. From a servicing perspective, it certainly lowers the burden to Microsoft. By having a consistent image to patch, they are in a better position to get it right the first time. In theory, it’s easier for administrators to push out one patch instead multiple patches.
However, it’s not clear what happens when problems occur. Poor patch quality has been a problem in the past, and it will certainly occur again. Does a problem in a kernel update result in un-installing the update for kernel and GDI+ and video component and the registry? This could be problematic since attackers often reverse engineer security patches to make exploits. Microsoft tries to re-assure people that these patches are tested “with our OEMs and ISVs, and by customers” prior to release. However, current patches are also tested with these same groups, so problems are bound to arise. When problems do occur, it is hoped that Microsoft will communicate clearly and authoritatively what corrective actions users should take to protect themselves.
The next patch Tuesday falls on November 8, and we’ll be back with more details then. Between now and then is the highly-anticipated Mobile Pwn2Own competition happening at PacSec in Tokyo. Rumors of multiple contestants abound, and we’re very excited to see some great research. One of the Microsoft bugs from this month was related to the Pwn2Own competition from March of this year. It will be interesting to see if the mobile OS developers handle the disclosures better or worse than their application/OS counterparts. We certainly aim to find out.
Until then, happy patching and may all your reboots be drama free!