To start off 2016 Patch Tuesdays, Microsoft released nine security bulletins, six of which are rated as critical and seven resolve remote code execution vulnerabilities.
While that many RCEs don’t set any records, Bobby Kuzma, CISSP, systems engineer at Core Security, said, “It still distresses me. Web browsers are not safe, and everyone should be using some kind of content filtering on their networks. It's like wearing a seat belt. Just do it.”
First up is MS16-001, the cumulative fix for flaws in Internet Explorer which an attacker could exploit to gain remote code execution and have the same rights as the user. The patch is meant to modify how VBScript handles objects in memory and to help ensure that cross-domain policies are properly enforced in Internet Explorer.
Microsoft said, from here on out, “Only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.” This is the last patch for IE 8, IE 9 and IE 10.
MS16-002 again resolves multiple vulnerabilities that could allow RCE, but this time the cumulative security update is the monthly fix for Microsoft Edge.
MS16-003 provides a cumulative security update for JScript and VBScript; Microsoft noted that the vulnerability in VBScript could be exploited to allow remote code execution.
MS16-004 is to resolve six holes in Microsoft Office that could allow RCE. According to Microsoft, the vulnerabilities are addressed by “correcting how Microsoft Office handles objects in memory, by ensuring that Microsoft SharePoint correctly enforces ACP configuration settings, and by helping to ensure that Microsoft Office properly implements the [Address Space Layout Randomization] ASLR security feature.”
One of the memory corruption vulnerabilities as well as one of the SharePoint security feature bypass bugs have been publicly disclosed. Don’t delay deploying this patch as one of the flaws, CVE-2016-0010, applies to Office 2007 to 2016 on Windows, RT and even Mac.
MS16-005 is where to start if you run Vista, Windows 7 or Server 2008, according to Qualys CTO Wolfgang Kandek, otherwise start with MS16-004. MS16-005 addresses vulnerabilities in Windows kernel-mode drivers, with the most severe allowing for RCE if a user visits a malicious website. While Microsoft said it is unware of attacks attempting to exploit the Windows GDI32.dll ASLR security feature bypass, the Win32k RCE vulnerability has been publicly disclosed. On Windows 8 and 10, Microsoft rates the patch as either not applicable or important.
MS16-006 resolves a flaw in Silverlight that could allow for RCE if a user visits a compromised site that contains a maliciously crafted Silverlight app. Jon Rudolph, principal software engineer at Core Security, said, “As Silverlight has been steadily losing market share in the last year, this may be a question of evaluating your own needs, and restricting what you can.”
Although only rated as important by Microsoft, MS16-007 resolves vulnerabilities in Windows that allow for remote code execution. The security update corrects how Windows validates input before loading DLL files as well as corrects how DirectShow validates user input. Lastly, it enforces the default setting of not allowing remote logon for accounts without passwords.
MS16-008 is another fix for flaws in Windows kernel, but this time it could allow elevation of privilege.
MS16-009 is missing from the list as Microsoft presumably decided to hold back the patch for some reason. Kandek suggested it was likely delayed due to further testing.
Don’t discount MS16-010, Microsoft’s latest fix for four vulnerabilities in Microsoft Exchange Server which could allow spoofing, as Kuzma said it’s the one he’s keeping his eye on. He added, “It’s only rated as important, but I know users and their [mis]behavior, and my spider senses are tingling from the possibilities.”
Rudolph added that bugs that relate to Exchange email spoofing make “for an especially juicy target for two big reasons, people can assume identities that aren't theirs and they can send you malicious payloads that you shouldn't be executing. If your business uses Exchange, read up on this one. As we ring in the new year and make our goals and resolutions, remember that attackers are making their own resolutions, so patch smarter, not harder.”
Lucky you, while you are at it you might as well grab Adobe’s fix for Acrobat and Reader. Adobe also released an out-of-band emergency patch for Flash Player at the end of December, so if you haven’t deployed APSB16-01 then don’t delay as one of the flaws is floating around and actively being exploited in the wild.