Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-656 on Wednesday, February 10th.
Ease of Use (published exploits) to Risk Table
Automated Exploit
|
|
|
|
|
|
|
|
Easy
|
|
|
|
|
MS16-015 |
|
|
Moderate
|
|
|
|
|
|
|
|
Difficult
|
|
|
|
|
|
|
|
Extremely Difficult
|
|
|
|
|
|
MS16-014 |
|
No Known Exploit
|
|
|
MS16-009 MS16-011MS16-013 MS16-016MS16-022 |
MS16-019 MS16-020MS16-021 |
|
MS16-017 MS16-018 |
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
MS16-009 | Cumulative Security Update for Internet Explorer | KB3134220 |
MS16-011 | Cumulative Security Update for Microsoft Edge | KB3134225 |
MS16-012 | Security Update for Microsoft Windows PDF Library | KB3138938 |
MS16-013 | Security Update for Windows Journal | KB3134811 |
MS16-014 | Security Update for Microsoft Windows | KB3134228 |
MS16-015 | Security Update for Microsoft Office | KB3134226 |
MS16-016 | Security Update for WebDAV | KB3136041 |
MS16-017 | Security Update for Remote Desktop Display Driver | KB3134700 |
MS16-018 | Security Update for Windows Kernel-Mode Drivers | KB3136082 |
MS16-019 | Security Update for .NET Framework | KB3137893 |
MS16-020 | Security Update for Active Directory Federation Services | KB3134222 |
MS16-021 | Security Update for NPS RADIUS Server | KB3133043 |
MS16-022 | Security Update for Adobe Flash Player | KB3135782 |
MS16-009
Last month, we wondered what update has been pulled, expecting to find out this month when MS16-009 was revealed. However, Microsoft has chosen to repurpose this bulletin to bring us the February cumulative update for Internet Explorer, so we’ll never know which update was pulled from the January Patch Tuesday bulletin release. As far as Internet Explorer updates go, there’s nothing special in this month’s update.
MS16-011
Up next, as is the new norm, we have the new Edge bulletin. This bulletin (and the one above) continue to make it easy to distinguish between vulnerabilities that affect both browsers versus vulnerabilities that affect a single browser based on the vulnerability name.
MS16-012
The first non-browser bulletin this month resolves two vulnerabilities in the Microsoft PDF library, a recent addition to newer Microsoft operating systems. This means that only Windows 8.1, Server 2012 / Server 2012 R2, and Windows 10 are affected.
MS16-013
Up next, we have a single vulnerability in the Windows Journal. As we’ve mentioned previously in these alerts, few users actually need the Windows Journal, so if you aren’t using it, you should go and remove all file associations currently associated with it (e.g. .jnt).
MS16-014
The next bulletin is a mix of generic Windows vulnerabilities affecting every supported version of Windows. While there’s a privilege escalation issue and a few DLL related issues, the bottom of the bulletin contains an interesting item. Kerberos fails to detect a password change when a user signs in, which could allow for authentication bypass and the decrypting of drives that use BitLocker. CVE-2016-0040 has been publicly disclosed.
MS16-015
This month’s Microsoft Office update contains fixes for a number of memory corruptions in Microsoft Word and Excel, including the services installed on SharePoint servers. It also resolves a cross-site scripting issue in SharePoint CVE-2016-0039 has been publicly disclosed.
MS16-016
Up next, we have a privilege escalation vulnerability affecting the WebDAV client. While all supported versions of Windows are affected, servers are only vulnerable if the Desktop Experience software has been installed.
MS16-017
MS16-017 describes a single vulnerability affecting Remote Desktop Protocol (RDP) that could allow a logged in user to escalation their privileges.
MS16-018
This month’s Kernel-Mode Drivers update is fairly small compared to previous months. Only a single vulnerability in win32k.sys is listed this month.
MS16-019
This month’s .NET Framework update has fewer versions of .NET listed than previous months. For that reason, it’s worth reminding people that several versions of the .NET Framework are no longer supported, specifically: 4.0, 4.5, and 4.5.1. This fact that they are missing from this bulletin does not mean that they are not vulnerable, just that they are not patched. If you have one of these versions installed, you should uninstall it and upgrade to a supported version as soon as possible.
MS16-020
Up next, we have a denial of service vulnerability in Microsoft Active Directory Federation Services. MS ADFS is used to provide federation services across multiple platforms, commonly seen as single-sign-on. This specific denial of service is related to the input provided during forms-based authentication.
MS16-021
The penultimate update this month fixes a denial of service that requires a Network Policy Server authenticate against a RADIUS server. A condition exists where an attacker could prevent RADIUS authentications from occurring on the NPS.
MS16-022
The final bulletin this month is a welcome change. It is the first time that Microsoft has issues a bulletin for vulnerabilities related to the version of Flash Player embedded in Internet Explorer and Edge. This change replaces a single security advisory (2755801), which has been updated nearly monthly since September 2012. It looks like this security advisory will stay at version 53 and the new bulletins will replace previous bulletins each month.
Additional Details
Adobe has released APSB16-04 to address multiple vulnerabilities in Flash Player (this duplicates the above mentioned MS16-022). As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.