Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-666 on Wednesday, April 13th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
MS16-050
MS16-039
Moderate
Difficult
Extremely Difficult
MS16-037
MS16-046
No Known Exploit
MS16-048
MS16-038
MS16-040
MS16-042
MS16-044
MS16-045
MS16-047
MS16-049
MS16-041
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged
MS16-037 Cumulative Security Update for Internet Explorer KB3148541
MS16-038 Cumulative Security Update for Microsoft Edge KB3148531
MS16-039 Security Update for Microsoft Graphics Component KB3148522
MS16-040 Security Update for Microsoft XML Core Services KB3148541
MS16-041 Security Update for .NET Framework KB3148789
MS16-042 Security Update for Microsoft Office KB3148775
MS16-044 Security Update for Windows OLE KB3146706
MS16-045 Security Update for Windows Hyper-V KB3143118
MS16-046 Security Update for Secondary Logon KB3148538
MS16-047 Security Update for SAM and LSAD Remote Protocols KB3148527
MS16-048 Security Update for CSRSS KB3148528
MS16-049 Security Update for HTTP.sys KB3148795
MS16-050 Security Update for Adobe Flash Player KB3151231

 

MS16-037

The April 2016 patch drop starts off with an update for Internet Explorer, which resolves a number of typical IE vulnerabilities. This list includes CVE-2016-0160; an input validation issue with IE’s loading of DLL files, which has been publicly disclosed.

MS16-038

The second bulletin this month fixes a number of vulnerabilities with Microsoft Edge. In previous months, we’ve seen quite a bit of overlap between the monthly IE and Edge bulletins, this month, however, there’s only one common CVE, the remainder of CVEs are unique to their individual bulletins.

MS16-039

This month’s most critical bulletin could be considered a mega-bulletin as it covers Windows, .NET Framework, Skype for Business, Lync, and Office. The take away from this bulletin is that you should patch as soon as possible as two of the vulnerabilities are being actively exploited. Given the number of products involved, it’s important with this bulletin to ensure that all updates are applied appropriately. In the case of a bulletin like this, there isn’t a single update to solve all of the issues and multiple updates may need to be applied based on the applications installed on the system.

MS16-040

This bulletin provides a web-based attack vector similar to MS16-037 and MS16-038. In this case, the attacker must present malicious code that invokes the MSXML parser and the user must browse to the malicious website. It’s important to remember that even versions of Windows that don’t ship with a specific version of MSXML may still have it installed.

MS16-041

A single publicly disclosed code execution vulnerability in the .NET Framework is resolved by MS16-041. The affected software list appears rather small at first glance but Microsoft has included a reminder that support for older versions of the .NET Framework ended back in January.

MS16-042

The next bulletin this month resolves a number of Microsoft Office vulnerabilities across a number of products. There are updates available for Office and Word, along with all supported editions of Excel. SharePoint and Office Web Apps are also included in the affected list. One important reminder here is that Word Viewer and Excel Viewer are included. Updates for these products can be overlooked in enterprise patching strategies but they often exist on a number of systems.

MS16-044

MS16-044 resolves a pair of vulnerabilities affecting Microsoft OLE, which was also updated last month.

MS16-045

Up next, we have MS16-045, which resolves a guest OS escape in Windows Hyper-V. An attacker would require credentials for the guest OS and could then execute code on the Hyper-V host OS. These vulnerabilities generally present increased risk in shared hosting environments where multiple customers access guests on the same host.

MS16-046

MS16-046 is a Windows 10 specific vulnerability, the first of two this month, which affects the Secondary Logon (aka RunAs) service. This would allow a logged in user to escalate their privileges.

MS16-047

Up next, we have Badlock, the bug that everyone waited for this month after a pre-diclosure announcement three weeks ago. The vulnerability earned an Important rating from Microsoft and has spurred quite a bit of conversation on social media. The vulnerability is a man-in-the-middle attack against the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols. An attacker, with access to the connection between the client and server, could downgrade the authentication level and impersonate the user.

MS16-048

The next vulnerability this month is a security feature bypass in the Client-Server Run-time Subsystem (CSRSS) caused by a failure to properly manage process tokens in memory. This vulnerability could allow a logged in user to execute code as an administrator.

MS16-049

The penultimate update this month is the second Windows 10 only bulletin and this one affects HTTP.sys and, more specifically, the HTTP 2.0 implementation in Windows 10. A malicious request sent to a service server the HTTP.sys implementation of HTTP 2.0 could cause a denial of service that would result in the system becoming unresponsive.  This appears to be the first reported HTTP 2.0 protocol vulnerability affecting Microsoft products.

MS16-050

The final update this month references the Flash Player updates for Flash embedded in Microsoft products. The CVEs referenced in this bulletin are the same CVEs referenced in APSB16-10 below.

Additional Details

Adobe has released APSB16-10 to address multiple vulnerabilities in Flash Player.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.