On February 2016 Patch Tuesday, Microsoft released 13 security bulletins, six of which are rated as critical for remote code execution. The rest deal with fixing elevation of privilege, denial of service, and security feature bypass vulnerabilities.
MS16-022 resolves 23 flaws in Adobe Flash Player by updating Flash libraries in Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. This patch is meant for all supported editions of Windows. It was ranked at the top of the list for patching, according to Qualys CTO Wolfgang Kandek, who called the patch a “packaging change” since “there is a real bulletin for it,” as opposed to a security advisory.
MS16-009 is the monthly cumulative security fix for Internet Explorer, patching 13 vulnerabilities including remote code execution. Microsoft intends not to patch any version older than IE 11, so if you use a legacy IE browser then it’s time to move on from that attack vector.
MS16-011 is to patch six vulnerabilities in Microsoft Edge; the most severe could allow RCE if a user browses a maliciously crafted webpage.
MS16-012 deals with bugs in Microsoft Windows PDF Library, the most severe of which could allow RCE. The security update is rated critical for all versions of Windows that come with PDF Reader: Windows 8.1, Windows 10, Windows Server 2012 and Server 2012 R2. Kandek noted that this is the first patch for Microsoft’s PDF Reader.
Core Security’s Bobby Kuzma said, “MS16-012 is probably the most interesting of the bunch, if only because it’s refreshing to see someone besides Adobe having a remote code vulnerability in PDF.”
MS16-013 patches an RCE vulnerability in Windows Journal. For an attacker to successfully exploit this memory corruption bug, a user would need to open a maliciously crafted Journal file such as via email.
MS16-015 closes holes in Microsoft Office. Therefore, it should be close to the top of your deployment list priority. Kandek ranked it as second most important as it resolves seven flaws in Word, Excel, and SharePoint.
Although not rated as critical, MS16-014 resolves RCE and other flaws in Windows; if an attacker were to exploit the most severe hole, then he or she could pull off remote code execution. The security update also addresses bugs that could allow elevation of privilege, denial of service, and security feature bypass.
Regarding MS16-014, Jon Rudolph, principal software engineer at Core Security, noted that although it is categorized as a remote code execution vulnerability, it “bears a lot of resemblance to an escalation of privilege vulnerability as it requires the user to login in order to load shared libraries before being authenticated.”
MS16-016 resolves a hole in Windows by correcting how WebDAV validates memory. Microsoft wrote, “The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.”
MS16-017 patches Windows remote desktop display driver. The flaw could allow elevation of privilege if an attacker logs into the target system via RDP and sends maliciously crafted data. If you don’t have RDP enabled, then Microsoft says you are not at risk.
Kuzma added, “MS16-017 is interesting for its potential to expand footprints for attackers who already have a toehold in an environment, such as after a success phishing payload delivery. While systems that do not have RDP enabled are not vulnerable, let’s be honest…almost every server is going to have RDP enabled for at least network management purposes.”
MS16-018 addresses a vulnerability in Windows kernel-mode drivers that an attacker could exploit for elevation of privilege. MS16-018 worries Kuzma “a bit. It’s a local privilege escalation vulnerability, so it requires the user running a specially crafted program. What worries me here is that it’s got vulnerable systems all the way back to Windows Vista, so it’s HIGHLY likely that the venerable XP is also vulnerable.”
MS16-019 fixes vulnerabilities in Microsoft .NET Framework. The most severe flaw, according to Microsoft, “could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.”
MS16-020 patches another denial of service vulnerability but in Active Directory Federation Services this time.
MS16-021 squashes a Windows bug that could “cause denial of service on a Network Policy Server if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS.”
“All in all, it's a normal month in terms of number of patches, but an attack vector of poisoned files is an active battleground right now, with issues being discovered and fixed on a constant basis,” summed up Core Security’s Rudolph.
If you use Java and haven’t done so, then you might grab Oracle’s newest version of Java 6, 7 or 8, as a security alert was issued yesterday for a vulnerability in the installer. Oracle wrote, “Though relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system.”