July continues an on-going trend with Microsoft's products where the majority of bulletins (6) address remote code execution (RCE) followed by information disclosure (2), security feature bypass (2) and elevation of privilege (1). All of this month's 'critical' bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).
Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers.
This month, Microsoft resolves 40 vulnerabilities across 11 bulletins.
- For consumers MS16-084, MS16-085, MS16-086 and MS16-088 are the bulletins to watch out for, addressing 27 vulnerabilities.
- For server users MS16-084, MS16-086, MS16-087 are the bulletins to watch out for, addressing 17 vulnerabilities.
Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS16-092 and MS16-094 is known to be publicly disclosed (CVE-2016-3272 and CVE-2016-3287 respectively).
Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch you systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-084, MS16-085, MS16-086, MS16-087, MS16-088 and MS16-093).
- CVE-2016-3204 (MS16-084, MS16-086)
- CVE-2016-3240 (MS16-084)
- CVE-2016-3241 (MS16-084)
- CVE-2016-3242 (MS16-084)
- CVE-2016-3243 (MS16-084)
- CVE-2016-3245 (MS16-084)
- CVE-2016-3248 (MS16-084, MS16-085)
- CVE-2016-3259 (MS16-084, MS16-085)
- CVE-2016-3260 (MS16-084, MS16-085)
- CVE-2016-3261 (MS16-084)
- CVE-2016-3264 (MS16-084, MS16-085)
- CVE-2016-3273 (MS16-084, MS16-085)
- CVE-2016-3274 (MS16-084, MS16-085)
- CVE-2016-3276 (MS16-084, MS16-085)
- CVE-2016-3277 (MS16-084, MS16-085)
- CVE-2016-3244 (MS16-085)
- CVE-2016-3246 (MS16-085)
- CVE-2016-3265 (MS16-085)
- CVE-2016-3269 (MS16-085)
- CVE-2016-3271 (MS16-085)
- CVE-2016-3238 (MS16-087)
- CVE-2016-3239 (MS16-087)
- CVE-2016-3278 (MS16-088)
- CVE-2016-3279 (MS16-088)
- CVE-2016-3280 (MS16-088)
- CVE-2016-3281 (MS16-088)
- CVE-2016-3282 (MS16-088)
- CVE-2016-3283 (MS16-088)
- CVE-2016-3284 (MS16-088)
- CVE-2016-3256 (MS16-089)
- CVE-2016-3249 (MS16-090)
- CVE-2016-3250 (MS16-090)
- CVE-2016-3251 (MS16-090)
- CVE-2016-3252 (MS16-090)
- CVE-2016-3254 (MS16-090)
- CVE-2016-3286 (MS16-090)
- CVE-2016-3255 (MS16-091)
- CVE-2016-3258 (MS16-092)
- CVE-2016-3272 (MS16-092)
- APSB16-25 (MS16-093)
- CVE-2016-3287 (MS16-094)