Microsoft’s October 2016 patch rollup: 10 bulletins, 4 zero-days


Microsoft’s October 2016 security updates have launched its new “rollup” monthly routine with 10 bulletins, with five marked critical.

The critical parts of MS16-118 to MS16-127 are all remote code execution (RCE) flaws affecting the Edge and Internet Explorer browsers, the Windows GDI, Microsoft Office, and Windows video control. There’s also a fix for an RCE flaw in Adobe Flash player.

The five bulletins to pay attention to first:

MS16-118Cumulative Security Update for Internet Explorer

Internet Explorer RCE flaw that would allow an attacker control over a PC by getting the user to visit a web page. Especially serious for users logged in as administrators.

MS16-119 – Cumulative Security Update for Microsoft Edge

The same as above but for the Windows 10 Edge browser.

MS16-120Security Update for Microsoft Graphics Component

An RCE flaw affecting .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync.

MS16-121 Security Update for Microsoft Office

An RCE flaw that would give an attacker control over a PC by pushing a malicious RTF file.

MS16-122 Security Update for Microsoft Video Control  

A flaw in the video control that could give an attacker control over the PC if the target could be persuaded to open a program or file.

Those using Adobe Flash Player will also want to tee up the following:

MS16-127Security Update for Adobe Flash Player

Are there any zero-days?

Five flaws within these bulletins (identified with CVE numbers) were originally given the designation ‘0’ in Microsoft’s Exploitability Index which means the firm knows about the existence of an exploit against them.

This was later amended to four after one of vulnerabilities in MS16-119 was downgraded from ‘0’ to a ‘1’, meaning merely “exploitation more likely”.

Some commentators interpret the ‘0’ to mean that the flaw is a zero-day, the most serious category of exploit: one that is already being used for nefarious purposes, and thus for which there were zero days that you could have patched in advance.

Microsoft defines Exploitation Index 0 as:

This rating means Microsoft is aware of an instance of this vulnerability being exploited. As such, customers who have reviewed the security bulletin and determined its applicability within their environment could treat this with the highest priority.

But Microsoft also tags all of the Index 0 exploits as “publicly disclosed – no,” so it’s not entirely clear whether they exist as privately-disclosed proofs of concept, or were actually found in the wild in genuine attacks.

Does this make these “zero-day” flaws worth patching at the expense of the less serious-sounding patched?

We asked Sophos security evangelist and fellow Naked Security writer Paul Ducklin for his thoughts:

Try to avoid patching only if you know that the crooks are already onto the exploit, or only after you’re certain that a security researcher has already figured out how to ‘weaponize’ the vulnerability. Patch anyway. They’re called vulnerabilities, not just bugs, for a very good reason!

A rolling stone

October was also the first month Microsoft has issued a security patch “rollup” across all of its products. Until now, administrators could install patches piecemeal, which means you could be secure against the most recent attacks, but still be vulnerable against older ones.

From now, it’s all or nothing.

One advantage is that these rollups will over time allow simpler cumulative patching – anyone updating a PC will only have to apply the last roll-up instead of a sequence stretching back in time.