Image
Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-666 on Wednesday, April 13th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
MS16-050 |
MS16-039 |
|||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
MS16-037 |
MS16-046 |
|||||
|
No Known Exploit
|
MS16-048 |
MS16-038 MS16-040 MS16-042 MS16-044 MS16-045 MS16-047 |
MS16-049 |
MS16-041 |
|||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-037 | Cumulative Security Update for Internet Explorer | KB3148541 |
| MS16-038 | Cumulative Security Update for Microsoft Edge | KB3148531 |
| MS16-039 | Security Update for Microsoft Graphics Component | KB3148522 |
| MS16-040 | Security Update for Microsoft XML Core Services | KB3148541 |
| MS16-041 | Security Update for .NET Framework | KB3148789 |
| MS16-042 | Security Update for Microsoft Office | KB3148775 |
| MS16-044 | Security Update for Windows OLE | KB3146706 |
| MS16-045 | Security Update for Windows Hyper-V | KB3143118 |
| MS16-046 | Security Update for Secondary Logon | KB3148538 |
| MS16-047 | Security Update for SAM and LSAD Remote Protocols | KB3148527 |
| MS16-048 | Security Update for CSRSS | KB3148528 |
| MS16-049 | Security Update for HTTP.sys | KB3148795 |
| MS16-050 | Security Update for Adobe Flash Player | KB3151231 |
MS16-037
The April 2016 patch drop starts off with an update for Internet Explorer, which resolves a number of typical IE vulnerabilities. This list includes CVE-2016-0160; an input validation issue with IE’s loading of DLL files, which has been publicly disclosed.
MS16-038
The second bulletin this month fixes a number of vulnerabilities with Microsoft Edge. In previous months, we’ve seen quite a bit of overlap between the monthly IE and Edge bulletins, this month, however, there’s only one common CVE, the remainder of CVEs are unique to their individual bulletins.
MS16-039
This month’s most critical bulletin could be considered a mega-bulletin as it covers Windows, .NET Framework, Skype for Business, Lync, and Office. The take away from this bulletin is that you should patch as soon as possible as two of the vulnerabilities are being actively exploited. Given the number of products involved, it’s important with this bulletin to ensure that all updates are applied appropriately. In the case of a bulletin like this, there isn’t a single update to solve all of the issues and multiple updates may need to be applied based on the applications installed on the system.
MS16-040
This bulletin provides a web-based attack vector similar to MS16-037 and MS16-038. In this case, the attacker must present malicious code that invokes the MSXML parser and the user must browse to the malicious website. It’s important to remember that even versions of Windows that don’t ship with a specific version of MSXML may still have it installed.
MS16-041
A single publicly disclosed code execution vulnerability in the .NET Framework is resolved by MS16-041. The affected software list appears rather small at first glance but Microsoft has included a reminder that support for older versions of the .NET Framework ended back in January.
MS16-042
The next bulletin this month resolves a number of Microsoft Office vulnerabilities across a number of products. There are updates available for Office and Word, along with all supported editions of Excel. SharePoint and Office Web Apps are also included in the affected list. One important reminder here is that Word Viewer and Excel Viewer are included. Updates for these products can be overlooked in enterprise patching strategies but they often exist on a number of systems.
MS16-044
MS16-044 resolves a pair of vulnerabilities affecting Microsoft OLE, which was also updated last month.
MS16-045
Up next, we have MS16-045, which resolves a guest OS escape in Windows Hyper-V. An attacker would require credentials for the guest OS and could then execute code on the Hyper-V host OS. These vulnerabilities generally present increased risk in shared hosting environments where multiple customers access guests on the same host.MS16-046
MS16-046 is a Windows 10 specific vulnerability, the first of two this month, which affects the Secondary Logon (aka RunAs) service. This would allow a logged in user to escalate their privileges.
MS16-047
Up next, we have Badlock, the bug that everyone waited for this month after a pre-diclosure announcement three weeks ago. The vulnerability earned an Important rating from Microsoft and has spurred quite a bit of conversation on social media. The vulnerability is a man-in-the-middle attack against the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols. An attacker, with access to the connection between the client and server, could downgrade the authentication level and impersonate the user.
MS16-048
The next vulnerability this month is a security feature bypass in the Client-Server Run-time Subsystem (CSRSS) caused by a failure to properly manage process tokens in memory. This vulnerability could allow a logged in user to execute code as an administrator.
MS16-049
The penultimate update this month is the second Windows 10 only bulletin and this one affects HTTP.sys and, more specifically, the HTTP 2.0 implementation in Windows 10. A malicious request sent to a service server the HTTP.sys implementation of HTTP 2.0 could cause a denial of service that would result in the system becoming unresponsive. This appears to be the first reported HTTP 2.0 protocol vulnerability affecting Microsoft products.
MS16-050
The final update this month references the Flash Player updates for Flash embedded in Microsoft products. The CVEs referenced in this bulletin are the same CVEs referenced in APSB16-10 below.
Additional Details
Adobe has released APSB16-10 to address multiple vulnerabilities in Flash Player.
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
