This August Patch Tuesday from Microsoft brings a relatively light series of updates, with five rated as critical and the remaining four rated as important.

Aside from the relatively few updates from Microsoft, there are no zero-day or publicly disclosed vulnerabilities this month. Microsoft has also chosen to update a number of relatively minor components this month with the exception of MS16-098 (another kernel update). Later this month, we will add some additional in-depth analysis to this patch update cycle including potential patch deployment clashes with common applications and a risk assessment for deployment desktop and server updates.

Shavlik is also covering the risk assessment of deploying Microsoft patches and they have created a nice infographic for August found here.

MS16-095 — Critical

The first update rated as critical for this August Microsoft Patch Tuesday follows the standard release cycle pattern with an update to Microsoft Internet Explorer (IE). MS16-095 attempts to resolve nine privately reported memory corruption issues that if left un-patched could lead to a remote code execution scenario. This is a pretty standard “technical hygiene” update from Microsoft that does not have to address any urgent “zero-day” vulnerabilities. As is this case for these types of updates, a full application “binaries” refresh will be included in this update, which applies to all currently supported versions of IE. Add this update to your standard desktop deployment effort.

MS16-096 — Critical

Unusually, the update to Microsoft Edge is more serious than the patches to IE for this month. MS16-096 attempts to resolve 10 issues that could also lead to a remote code execution scenario. The more serious of these reported privately reported issues could lead to an attacker assuming the same security privileges as the logged in user by simply navigating to a specially crafted web page containing malicious JavaScript. Make this patch a priority for your Windows 10 deployment.

MS16-097 — Critical

MS16-097 follows a long pedigree of Microsoft updates that attempt to resolve issues in how Windows platforms handle embedded fonts. This month’s update attempts to resolve three vulnerabilities that following successful web-page for file-based attacks could lead to the execution of arbitrary code on a non-patched or compromised system. As this patch affects all Windows (desktop and server) platform, Microsoft Office and Lync, please add this update to your prioritised patch deployment effort.

MS16-099 — Critical

MS16-099 is a huge update for Microsoft that attempts to resolve seven high risk exploits that at worst could lead to a remote code execution scenario. In addition to numerous security patches, this update also includes a significant feature level update to several versions of Microsoft Outlook (Outlook 2007, 2013, 2106 - both 32 and 64-bit editions). It also looks like attackers could use three approaches to compromise a system including: specially crafted web pages, special files and emails. Make this update a priority for your patch deployment effort.

MS16-102 — Critical

MS16-0102 addresses a single (as of yet, unrated by Microsoft and privately reported) vulnerability in the built-in PDF viewer in Windows 8.x and Windows 10 systems. This update is linked to the July cumulative update for Windows 10 that included an update to the PDF handler as well. If a user opens a specially crafted PDF file, it appears that with deploying this update or employing several registry related security restrictions, a remote code execution scenario will occur on the compromised system. Add this update to your priority patch deployment effort.

MS16-098 — Important

MS16-098 attempts to address four serious (but privately reported) vulnerabilities in the Windows kernel mode drivers that if left unpatched could lead to an elevation of privilege scenario. This is a tricky update with a long history of past issues and problems with these types of patches. I would deploy this update to IT first, and then wait a little while.

MS16-100 — Important

MS16-100 represents the perfect summer update. It’s a simple, single fix to a low profile Windows component, with low deployment risk. Add this update to your standard patch deployment effort.

MS16-101 — Important

MS16-101 addresses two privately reported vulnerabilities in the Windows authentication engine. Both vulnerabilities are relatively tough to exploit and require physical access to domain-joined systems. However, as this update affects all currently supported versions of both desktop and server systems from Microsoft, it needs to be added to your standard update deployment effort.

MS16-103 — Important

MS16-103 is the final update for this August that attempts to address a difficult to exploit, privately reported vulnerability in a relatively minor component of Windows 10 desktop systems. Add to your standard Windows 10 deployment effort.