Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-652 on Wednesday, January 13th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
MS16-001 MS16-005 | MS16-004 MS16-007 | |||||
|
No Known Exploit
|
MS16-002 MS16-003 MS16-006 | MS16-010 | MS16-008 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-001 | Cumulative Security Update for Internet Explorer | KB3124903 |
| MS16-002 | Cumulative Security Update for Microsoft Edge | KB3124904 |
| MS16-003 | Cumulative Security Update for JScript and VBScript to Address Remote Code Execution | KB2135540 |
| MS16-004 | Security Update for Microsoft Office to Address Remote Code Execution | KB2134585 |
| MS16-005 | Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution | KB3124584 |
| MS16-006 | Security Update for Silverlight to Address Remote Code Execution | KB3126036 |
| MS16-007 | Security Update for Microsoft Windows to Address Remote Code Execution | KB3124901 |
| MS16-008 | Security Update for Windows Kernel to Address Elevation of Privilege | KB3124605 |
| MS16-010 | Security Update for Microsoft Exchange Server to Address Spoofing | KB3124557 |
MS16-001
Although it’s a new year, we don’t really have any new faces. The first Microsoft bulletin of 2016 is exactly what everyone expected, an update to Internet Explorer. There are a few interesting points worth making with this update. First, this is the last time that updates will be available for older versions of Internet Explorer, more details on the IE Lifecycle can found here. Speaking of older versions of Internet Explorer, while none of the listed CVEs apply to Internet Explorer 7, patches are available. Finally, there’s a special note, which applies to all bulletins that include Windows 10, that states that Windows 10 users running Citrix XenDesktop will not be offered today’s update because it may prevent users from logging on. This is an important note for enterprises running XenDesktop. CVE-2016-0005 has been publicly disclosed.
MS16-002
Since the first update of the year was for Internet Explorer, it only makes sense that the second update would be for Microsoft Edge. Once again, it’s important to note that the Windows 10 update will not be offered to hosts running Citrix XenDesktop.
MS16-003
Up next, we have the JScript & VBScript update. As always, Microsoft provides additional guidance on which updates apply to your system as this update shares a CVE with MS16-001 and the update that you require depends on the version of Internet Explorer that you are running.
MS16-004
The next update this month includes updates for Microsoft Office, SharePoint Server, and the Microsoft Visual Basic 6.0 Runtime. CVE-2016-0035 has been publicly disclosed. CVE-2015-6117 has been publicly disclosed.
MS16-005
MS16-005 updates a pair of Windows Kernel-Mode Drivers, specifically Win32k.sys and GDI32.dll. This is another bulletin that contains the note explained above in MS16-001, the Windows 10 update will not be offered to systems running Citrix XenDesktop. CVE-2016-0009 has been publicly disclosed.
MS16-006
A vulnerability in Microsoft Silverlight is addressed in MS16-006. It’s important to note that Silverlight should be considered obsolete unless you need it for a specific application. As VERT has suggested in the past, review your applications and if you don’t require Silverlight, you should uninstall it rather than applying MS16-006.
MS16-007
This update is a mixed bag with multiple different components rolled into the generic “Windows” title. This includes DLL loading vulnerabilities, code execution in Direct Show, MAPI DLL Loading privilege escalation, and a security bypass vulnerability in RDP on Windows 10. First, let’s point out that the inclusion of Windows 10 means that the note regarding Citrix XenDesktop is reiterated here. CVE-2016-0019 warrants additional commentary. This vulnerability, affecting RDP on Windows 10, could allow an attacker to log into accounts that don’t have a password set. CVE-2016-0016 has been publicly disclosed. CVE-2016-0018 has been publicly disclosed.
MS16-008
The penultimate update this month (because MS16-009 has been withheld) resolves two privilege escalation vulnerabilities within Windows Mount Point. As with many other bulletins this month, this bulletin contains a note that users with Citrix XenDesktop will not be offered the Windows 10 update.
MS16-010
The final bulletin this month contains four Microsoft Exchange spoofing vulnerabilities. The descriptions of these vulnerabilities reads more like cross-site scripting issues exploitable via OWA than spoofing.
Additional Details
Adobe has released APSB16-02 to address multiple vulnerabilities in Adobe Acrobat and Reader. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
