Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-660 on Wednesday, March 9th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS16-035 |
MS16-023 MS16-024 MS16-025 MS16-027 MS16-028 MS16-029 MS16-030 |
MS16-026 MS16-031 MS16-032 MS16-033 MS16-034 |
||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-023 | Cumulative Security Update for Internet Explorer | KB3142015 |
| MS16-024 | Cumulative Security Update for Microsoft Edge | KB2142019 |
| MS16-025 | Security Update for Windows Library Loading to Address Remote Code Execution | KB2140709 |
| MS16-026 | Security Update for Graphic Fonts to Address Remote Code Execution | KB3143148 |
| MS16-027 | Security Update for Windows Media to Address Remote Code Execution | KB3143146 |
| MS16-028 | Security Update for Microsoft Windows PDF Library to Address Remote Code Execution | KB3143081 |
| MS16-029 | Security Update for Microsoft Office to Address Remote Code Execution | KB3141806 |
| MS16-030 | Security Update for Windows OLE to Address Remote Code Execution | KB3143136 |
| MS16-031 | Security Update for Microsoft Windows to Address Elevation of Privilege | KB3140410 |
| MS16-032 | Security Update for Secondary Logon to Address Elevation of Privilege | KB3143141 |
| MS16-033 | Security Update for Windows USB Mass Storage Class Driver | KB3143142 |
| MS16-034 | Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege | KB3143145 |
| MS16-035 | Security Update for .NET Framework to Address Security Feature Bypass | KB3141780 |
MS16-023
As with most months, we start of this month with the regular Internet Explorer cumulative update. With a total of 13 vulnerabilities fixed, we can see, thanks to Microsoft’s vulnerability naming standard, that 5 of the CVEs apply to both Internet Explorer and Edge, while the other 8 are Internet Explorer specific. These bulletins serve as a good reminder that it’s important to practice the principle of least privilege. The risk to systems is greatly increased when running the browser as an administrator instead of a standard user.
MS16-024
The second bulletin this month is cumulative update for Microsoft Edge that almost always accompanies the IE cumulative update. There are 6 Edge specific vulnerabilities in addition to the 5 vulnerabilities that are shared with Internet Explorer and none of them have been exploited or disclosed publicly, something common to all the bulletins this month.
MS16-025
The single vulnerability resolved by MS16-025 affects Windows Vista and Server 2008 and requires that a malicious application be executed on the target system. Windows Vista and Server 2008 represent older platforms with fewer security hardening options than modern Windows operating systems and users of these platforms should consider upgrading to a more modern operating system.
MS16-026
OpenType Fonts were a popular target in 2015 and it looks like they will continue to be targeted by researchers in 2016. While one of the two resolved vulnerabilities is a denial of service, the other vulnerability could be used in a Drive-By Download scenario.
MS16-027
Next up are two vulnerabilities that affect the parsing of media content in Windows. Much like MS16-026, these vulnerabilities could be used in a Drive-By Download by hosting the media files on a web server that the victim visits.
MS16-028
The next vulnerability this month resolves two vulnerabilities affecting the PDF library that ships with modern versions of Windows. As always, refrain from opening files from unknown sources, as malicious PDF files will be used to exploit this vulnerability.
MS16-029
This month’s Microsoft Office bulletin contains fixes for two memory corruption vulnerabilities and an improperly signed binary. Successful exploitation of the security feature bypass, which involves replacing the improperly signed binary, requires that the attacker have write access to the binary location. Additionally, a defense in depth update has been published as part of this bulletin and Microsoft has included details on editing the registry to disable OLE Package functionality in Outlook.
MS16-030
Given the ability to disable the OLE Package functionality in Outlook in MS16-029, it’s likely that the addition of this workaround was inspired by the vulnerabilities in MS16-030. These vulnerabilities allow for code execution when OLE fails to properly validate user input.
MS16-031
Successful exploitation of the single CVE referenced in MS16-031, CVE-2016-0087 could allow an attacker to execute code as System on Windows Vista, Windows 7, Windows Server 2008 and Server 2008 R2.
MS16-032
Windows Secondary Logon, better known a RunAs, allows users to run specific commands with elevated privileges rather than logging into another account, for example Administrator, directly. This command is akin to sudo is the UNIX/Linux world. This update resolves a flaw in memory handling that allows an attacker with access to a system could use the secondary logon services to elevate their privileges.
MS16-033
One of the more interesting aspects of MS16-033 is that rather than a specially crafted program or packet, the attacker must use a specially crafted USB device. This is one of the more interesting bulletins this month as it means the attacker must have physical access to the system but could simply walk by and plug in a device. Businesses with kiosks and customer facing systems with exposed USB ports should make resolving this vulnerability a priority.
MS16-034
A monthly regular, the penultimate update this month resolves four vulnerabilities affecting Win32k.sys. Successful exploitation of these vulnerabilities could lead to kernel-mode code execution.
MS16-035
The final update this month resolves a signature validation issue in .NET that could allow an attacker to modify the contents of XML files without invalidating the files signature. This is an important update for anyone that has .NET code that works with XML files.
Additional Details
Adobe has released APSB16-09 to address multiple vulnerabilities in Acrobat and Reader. Mozilla has released Firefox 45 to address a number of vulnerabilities in Firefox. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
