Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-656 on Wednesday, February 10th.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
 
 
 
 
 
 
 
Easy
 
 
 
 
MS16-015
 
 
Moderate
 
 
 
 
 
 
 
Difficult
 
 
 
 
 
 
 
Extremely Difficult
 
 
 
 
 
MS16-014
 
No Known Exploit
 
 
MS16-009
MS16-011
MS16-013
MS16-016
MS16-022
MS16-019
MS16-020
MS16-021
 
MS16-017
MS16-018
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-009 Cumulative Security Update for Internet Explorer KB3134220
MS16-011 Cumulative Security Update for Microsoft Edge KB3134225
MS16-012 Security Update for Microsoft Windows PDF Library KB3138938
MS16-013 Security Update for Windows Journal KB3134811
MS16-014 Security Update for Microsoft Windows KB3134228
MS16-015 Security Update for Microsoft Office KB3134226
MS16-016 Security Update for WebDAV KB3136041
MS16-017 Security Update for Remote Desktop Display Driver KB3134700
MS16-018 Security Update for Windows Kernel-Mode Drivers KB3136082
MS16-019 Security Update for .NET Framework KB3137893
MS16-020 Security Update for Active Directory Federation Services KB3134222
MS16-021 Security Update for NPS RADIUS Server KB3133043
MS16-022 Security Update for Adobe Flash Player KB3135782

 

MS16-009

Last month, we wondered what update has been pulled, expecting to find out this month when MS16-009 was revealed. However, Microsoft has chosen to repurpose this bulletin to bring us the February cumulative update for Internet Explorer, so we’ll never know which update was pulled from the January Patch Tuesday bulletin release. As far as Internet Explorer updates go, there’s nothing special in this month’s update.

 

MS16-011

Up next, as is the new norm, we have the new Edge bulletin. This bulletin (and the one above) continue to make it easy to distinguish between vulnerabilities that affect both browsers versus vulnerabilities that affect a single browser based on the vulnerability name.

 

MS16-012

The first non-browser bulletin this month resolves two vulnerabilities in the Microsoft PDF library, a recent addition to newer Microsoft operating systems. This means that only Windows 8.1, Server 2012 / Server 2012 R2, and Windows 10 are affected.

 

MS16-013

Up next, we have a single vulnerability in the Windows Journal. As we’ve mentioned previously in these alerts, few users actually need the Windows Journal, so if you aren’t using it, you should go and remove all file associations currently associated with it (e.g. .jnt).

 

MS16-014

The next bulletin is a mix of generic Windows vulnerabilities affecting every supported version of Windows. While there’s a privilege escalation issue and a few DLL related issues, the bottom of the bulletin contains an interesting item. Kerberos fails to detect a password change when a user signs in, which could allow for authentication bypass and the decrypting of drives that use BitLocker.

CVE-2016-0040 has been publicly disclosed.

 

MS16-015

This month’s Microsoft Office update contains fixes for a number of memory corruptions in Microsoft Word and Excel, including the services installed on SharePoint servers. It also resolves a cross-site scripting issue in SharePoint

CVE-2016-0039 has been publicly disclosed.

 

MS16-016

Up next, we have a privilege escalation vulnerability affecting the WebDAV client. While all supported versions of Windows are affected, servers are only vulnerable if the Desktop Experience software has been installed.

 

MS16-017

MS16-017 describes a single vulnerability affecting Remote Desktop Protocol (RDP) that could allow a logged in user to escalation their privileges.

 

MS16-018

This month’s Kernel-Mode Drivers update is fairly small compared to previous months. Only a single vulnerability in win32k.sys is listed this month.

 

MS16-019

This month’s .NET Framework update has fewer versions of .NET listed than previous months. For that reason, it’s worth reminding people that several versions of the .NET Framework are no longer supported, specifically: 4.0, 4.5, and 4.5.1. This fact that they are missing from this bulletin does not mean that they are not vulnerable, just that they are not patched. If you have one of these versions installed, you should uninstall it and upgrade to a supported version as soon as possible.

 

MS16-020

Up next, we have a denial of service vulnerability in Microsoft Active Directory Federation Services. MS ADFS is used to provide federation services across multiple platforms, commonly seen as single-sign-on. This specific denial of service is related to the input provided during forms-based authentication.

 

MS16-021

The penultimate update this month fixes a denial of service that requires a Network Policy Server authenticate against a RADIUS server. A condition exists where an attacker could prevent RADIUS authentications from occurring on the NPS.

 

MS16-022

The final bulletin this month is a welcome change. It is the first time that Microsoft has issues a bulletin for vulnerabilities related to the version of Flash Player embedded in Internet Explorer and Edge. This change replaces a single security advisory (2755801), which has been updated nearly monthly since September 2012. It looks like this security advisory will stay at version 53 and the new bulletins will replace previous bulletins each month.


Additional Details

Adobe has released APSB16-04 to address multiple vulnerabilities in Flash Player (this duplicates the above mentioned MS16-022).

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.