Security Bulletin Storm: Mayday! Mayday!

May’s Patch Tuesday report includes a patch for an old favorite.

Channel Partners

May 23, 2016

12 Min Read
Internet security

Robert BrownBy Robert Brown

Flashing red lights and calls for Mayday run in the minds of many IT pros as a perfect storm of release strikes. This month’s Patch Tuesday features a total of 16 security bulletins — eight Critical and eight Important releases designed to remediate 37 vulnerabilities. By examining the ID numbers, it would appear that there could have been 17 releases. It’s interesting to note that MS16-063 was omitted from the list. Perhaps it will be included in the next release.

This record number of security bulletins for the year kicks off with Internet Explorer and Edge cumulative updates. There also is a patch for Office 2007, for which official support ended back in 2013. It’s great news for businesses and users persevering with the older product. Please note that an upgrade to the support version should be taken seriously since these updates will not last forever.

The highest-priority vulnerabilities are MS16-051, MS16-058, MS16-061 and MS16-064. Surprisingly, Microsoft rates MS16-061 as Important. However, the CVSS shows a severity of 10, which is a rare high that should not be ignored.{ad}

This month’s non-security updates reflect Microsoft’s new dual-release strategy. There are a total of 29 updates covering Office 2007, 2010, 2013 and 2016. The release for Office 2007 serves the junk mail filter feature.

Are Updates Improving?

Updating devices each month with the latest releases from any vendor is paramount to keeping a company’s infrastructure safe and secure. A solid test, pilot and rollout strategy ensures proper deployment and helps single out problem patches.

Unfortunately, companies that lack a Systems Management Tool suffer the consequences when improperly installed updates cause significant harm to the devices that they are designed to protect. A high-quality Systems Management Tool is a wise investment for a company’s IT department. Without this vital safeguard, the company has little control of what is happening within its infrastructure.

Companies using automatic vendor updates to manage their infrastructures are, in most cases, using a proper procedure. More than 85 percent of all targeted attacks can be prevented by applying a security patch. According to a US-CERT article published in 2015, the majority of updates have been good. But in the last two years, at least six major releases caused issues, prompting emergency revisions by Microsoft.

Many companies will defend their practices of holding off on applying security updates until they …

{vpipagebreak}

… are pleased that all the releases are stable. They are confident of their strict security regimes and strong antivirus products. It’s important to note that nothing prevents hackers from gaining access to systems better than up-to-date software.

On the flip side, releasing updates can be equally as challenging for vendors. A patch update can be as simple as a registry key update or a modification to a line of code. Developers can never be fully certain that this alteration will not affect other products, particularly when diving into the in-house bespoke application world.

Developers compiling updates, particularly on zero days, are usually working against the clock to get them released. More often than not, the updates are released on an “acceptable risk” basis along with trust in the software provider.

Adobe Releases 6 Updates

These updates target two of Adobe’s flagship products: Acrobat DC and Acrobat XI, along with their respective reader-only versions. Vulnerability identifier APSB16-14 updates and the latest information can be tracked here.

MS16-051 – Critical Remote Code Execution security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploits these vulnerabilities could gain the same user rights as the current user.

MS16-052 – Critical Remote Code Execution vulnerability that could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.

MS16-053 – Critical Remote Code Execution security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. These vulnerabilities could allow remote code execution if a user visits a specially crafted website.

MS16-054 – Critical Remote Code Execution resolves four vulnerabilities in Microsoft Office. An attacker who exploits the vulnerabilities could run arbitrary code in the context of the current user.

MS16-055 – Critical Remote Code Execution is the most severe of the vulnerabilities which could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website.

MS16-056 – Critical Remote Code Execution resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file.

MS16-057 – Critical Remote Code Execution vulnerability could allow remote code execution if an attacker successfully …

{vpipagebreak}

… convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content.

MS16-058 – Important Remote Code Execution vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

MS16-059 – Important Remote Code Execution vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.

MS16-060 – Important Elevation of Privilege vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-061 – Important Elevation of Privilege vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

MS16-062 – Important Elevation of Privilege is the most severe of the vulnerabilities which could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-064 – Critical Remote Code Execution security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

MS16-065 – Important Information Disclosure vulnerability could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MITM) attack between the targeted client and a legitimate server.

MS16-066 – Important Security Feature Bypass security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application to bypass code-integrity protections in Windows.

MS16-067 – Important Information Disclosure security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range of 7.0-10.0 are High, those in the range of 4.0-6.9 are Medium, and those in the range of 0-3.9 are Low.

UPDATES

MS16-051 Cumulative Security Update for Internet Explorer (3155533)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploits the vulnerabilities could gain the same user rights as …

{vpipagebreak}

… the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

MS16-052 Cumulative Security Update for Microsoft Edge (3155538)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploits the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-053 Cumulative Security Update for JScript and VBScript (3156764)
(Impact: Remote Code Execution; Restart Requirement: May require restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploits these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploits these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.

MS16-054 Security Update for Microsoft Office (3155544)
(Impact: Remote Code Execution; Restart Requirement: May require restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploits the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-055 Security Update for Microsoft Graphics Component (3156754)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-056 Security Update for Windows Journal (3156761)
(Impact: Remote Code Execution; Restart Requirement: May require restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow …

{vpipagebreak}

… remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-057 Security Update for Windows Shell (3156987)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-058 Security Update for Windows IIS (3141083)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Important; CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-059 Security Update for Windows Media Center (3150220)
(Impact: Remote Code Execution; Restart Requirement: May require restart; Severity: Important; CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-060 Security Update for Windows Kernel (3154846)
(Impact: Elevation of Privilege; Restart Requirement: May require restart; Severity: Important; CVSS Score: 7.2)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-061 Security Update for Microsoft RPC (3155520)
(Impact: Elevation of Privilege; Restart Requirement: May require restart; Severity: Important; CVSS Score: 10)
This security update resolves a vulnerability in …

{vpipagebreak}

… Microsoft Windows. The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

MS16-062 Security Update for Windows Kernel-Mode Drivers (3158222)
(Impact: Elevation of Privilege; Restart Requirement: May require restart; Severity: Important; CVSS Score: 7.2)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-064 Security Update for Adobe Flash Player (3157993)
(Impact: Remote Code Execution; Restart Requirement: Requires restart; Severity: Critical; CVSS Score: 9.3)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

MS16-065 Security Update for .NET Framework (3156757)
(Impact: Information Disclosure; Restart Requirement: May require restart; Severity: Important; CVSS Score: 2.6)
This security update resolves a vulnerability in the Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MITM) attack between the targeted client and a legitimate server.

MS16-066 Security Update for Virtual Secure Mode (3155451)
(Impact: Security Feature Bypass; Restart Requirement: Requires restart; Severity: Important; CVSS Score: 2.1)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application to bypass code-integrity protections in Windows.

MS16-067 Security Update for Volume Manager Driver (3155784)
(Impact: Information Disclosure; Restart Requirement: May require restart; Severity: Important; CVSS Score: 2.1)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

Robert Brown is the director of services at Verismic, a global leader in cloud IT management technology, green solutions and business network software systems. Operating out of the firm’s United Kingdom headquarters, Brown’s leadership of over 10 years with the brand has cemented its stature as one of the most dynamic and forward-thinking information technology companies in the industry.

Read more about:

Agents
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like