Today’s VERT Alert addresses 17 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-670 on Wednesday, May 11th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
MS16-051 MS16-053 |
||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
MS16-065 |
||||||
|
No Known Exploit
|
MS16-066 MS16-066 |
MS16-052 MS16-054 MS16-055 MS16-056 MS16-057 MS16-058 MS16-059 MS16-064 |
MS16-060 MS16-061 MS16-062 |
||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-051 | Cumulative Security Update for Internet Explorer | KB3155533 |
| MS16-052 | Cumulative Security Update for Microsoft Edge | KB3155538 |
| MS16-053 | Cumulative Security Update for JScript and VBScript | KB3156764 |
| MS16-054 | Security Update for Microsoft Office | KB3155544 |
| MS16-055 | Security Update for Microsoft Graphics Component | KB3156754 |
| MS16-056 | Security Update for Windows Journal | KB3156761 |
| MS16-057 | Security Update for Windows Shell | KB3156987 |
| MS16-058 | Security Update for Windows IIS | KB3141083 |
| MS16-059 | Security Update for Windows Media Center | KB3150220 |
| MS16-060 | Security Update for Windows Kernel | KB3154846 |
| MS16-061 | Security Update for Microsoft RPC | KB3155520 |
| MS16-062 | Security Update for Kernel-Mode Drivers | KB3158222 |
| MS16-063 | Security Update for Microsoft Exchange Server | KB3160339 |
| MS16-064 | Security Update for Adobe Flash Player | KB3157993 |
| MS16-065 | Security Update for .NET Framework | KB3156757 |
| MS16-066 | Security Update for Virtual Secure Mode | KB3155451 |
| MS16-067 | Security Update for Volume Manager Driver | KB3155784 |
MS16-051
This month starts like any other, with an Internet Explorer update. There’s nothing particularly noteworthy about this update. CVE-2016-0188 has been publicly disclosed. CVE-2016-0189 has been exploited.
MS16-052
The most interesting aspect of this month’s Microsoft Edge security bulletin is likely the name change that occurs with one of the CVEs contained in both MS16-051 and MS16-052. As we’ve pointed out previously, there are three typical naming conventions used by Microsoft in these browser bulletins: Microsoft Edge <vuln>, Internet Explorer <vuln>, or Microsoft Browser (when both are affected). CVE-2016-0192, found in both bulletins, was transcribed incorrectly under vulnerability information as ‘Microsoft Edge’, it does, however, affect both browsers.
MS16-053
MS16-053 resolves two vulnerabilities also referenced in MS16-051. Determining the update to install requires reviewing the details under the Update FAQ in MS16-053. Customers running IE 7 or without IE installed require this update. CVE-2016-0189 has been exploited.
MS16-054
Up next, we have the monthly Microsoft office bulletin, which includes Word Automation Services for SharePoint Server 2010 and Office WebApps 2010. It’s important to note that for more versions of Office, there are two patches to apply to fully resolve the vulnerabilities discussed in this bulletin.
MS16-055
This bulletin resolves a number of vulnerabilities related to Windows GDI. There are two important points to note here. First, there are three patches that need to be applied for many operating systems in order to be fully secured. Secondly, that there are web-based attack vectors for some of these vulnerabilities.
MS16-056
Up next, we have an update for Windows Journal. If you do not need Windows Journal, you should disable the feature on operating systems that permit it. Additionally, unless you are frequent Windows Journal user, you should avoid files with the .jnt extension or, if possible, remove the file association.
MS16-057
A single vulnerability in Windows Shell is resolved with MS16-057. As with many updates this month, Microsoft describes a web-based attack scenario.
MS16-058
There’s definitely a moment of fear when you see a bulletin with IIS in the title. Thankfully, there is not a remote attack vector with this vulnerability; instead we’re looking at a DLL loading issue that requires the attacker plant a malicious library on the local system. This greatly reduces the impact this vulnerability should play within most organizations.
MS16-059
MS16-059 fixes a vulnerability in Windows Media Center that involves .mcl files. Much like the Windows Journal update above, the best advice in this situation (beyond patching, of course) is to remove the file association for .mcl files, most users will never need this file association.
MS16-060
A single vulnerability in the Windows Kernel is resolved with MS16-060. This is a privilege escalation vulnerability, which would require that the attacker already have access to the system.
MS16-061
Up next, we have a single vulnerability affecting the RPC Network Data Representation (NRD) Engine, the marshaling engine used in RPC and DCOM. Note that the same patch released to fix MS16-060 resolves this vulnerability.
MS16-062
The expected Kernel-Mode Drivers update this month is described by MS16-062. This is a staple monthly update at this point and nothing here should surprise administrators at this point.
MS16-063
MS16-063 is the case of the disappearing bulletin. Microsoft briefly released the details and then pulled the bulletin, replacing it with two words ‘Content Placeholder’. There’s no word yet on why the bulletin went missing or when it will reappear but we can tell you that it resoled four vulnerabilities in Microsoft Exchange; one affecting OWA and three affecting Oracle Outside In, which had been mentioned in the Oracle January 2016 CPU.
MS16-064
Following the missing bulletin, we have the out-of-sync bulletins. MS16-064 is Microsoft’s Adobe Flash patch and it references APSB16-15, which, at this time, has not been released. Instead, Adobe has released APSA16-02, which references a CVE not included in MS16-064. It would appear that Adobe has withheld their bulletin to address an additional vulnerability (which has been seen in the wild). This means that when we see APSB16-15 later this week, it may resolve more vulnerabilities than MS16-064. It’ll be interesting to see if Microsoft re-releases MS16-064, issues an out-of-band for CVE-2016-4117, or waits until next month to bring the patches back in sync.
MS16-065
Up next, we have the .NET update, another monthly staple. The update is rather interesting as it fixes an SSL/TLS information disclosure best described by Microsoft in KB3155464:
The change introduced in Microsoft Security Bulletin MS16-065 causes the first TLS record after the handshake to be split. This causes the SslStream, WebRequest (HttpWebRequest, FtpWebRequest), SmtpClient, and HttpClient (where based on HttpWebRequest) streams to return a single byte for the first read, immediately followed by the rest (n-1) bytes in successive reads. This behavior change only occurs for applications that use TLS 1.0 + Cipher Block Chaining, but not when they use TLS 1.1 or TLS 1.2.
Microsoft also notes that you must install MS12-006 to enable this update. CVE-2016-0149 has been publicly disclosed.
MS16-066
The penultimate update this month allows attackers to bypass code integrity protections via kernel-mode pages incorrectly marked with read, write, and execute (RXW) even when Hypervisor Code Integrity (HVCI) is enabled.
MS16-067
The final update this month fixes an issue with mounting USB storage over Remote Desktop Protocol (RDP) via Microsoft RemoteFX. The mounted USB storage is not limited to the user that mounts it, allowing other users of the system to gain access to the contents of the USB storage device.
Additional Details
Adobe has released APSB16-14 to address vulnerabilities in Adobe Acrobat and Reader. Additionally, they’ve released APSA16-02, to announce the pending release of an update for Adobe Flash. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
