Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 17 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-670 on Wednesday, May 11th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
MS16-051
MS16-053
Moderate
Difficult
Extremely Difficult
MS16-065
No Known Exploit
MS16-066
MS16-066
 
MS16-052
MS16-054
MS16-055
MS16-056
MS16-057
MS16-058
MS16-059
MS16-064
MS16-060
MS16-061
MS16-062
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged
MS16-051 Cumulative Security Update for Internet Explorer KB3155533
MS16-052 Cumulative Security Update for Microsoft Edge KB3155538
MS16-053 Cumulative Security Update for JScript and VBScript KB3156764
MS16-054 Security Update for Microsoft Office KB3155544
MS16-055 Security Update for Microsoft Graphics Component KB3156754
MS16-056 Security Update for Windows Journal KB3156761
MS16-057 Security Update for Windows Shell KB3156987
MS16-058 Security Update for Windows IIS KB3141083
MS16-059 Security Update for Windows Media Center KB3150220
MS16-060 Security Update for Windows Kernel KB3154846
MS16-061 Security Update for Microsoft RPC KB3155520
MS16-062 Security Update for Kernel-Mode Drivers KB3158222
MS16-063 Security Update for Microsoft Exchange Server KB3160339
MS16-064 Security Update for Adobe Flash Player KB3157993
MS16-065 Security Update for .NET Framework KB3156757
MS16-066 Security Update for Virtual Secure Mode KB3155451
MS16-067 Security Update for Volume Manager Driver KB3155784

MS16-051

This month starts like any other, with an Internet Explorer update. There’s nothing particularly noteworthy about this update.

CVE-2016-0188 has been publicly disclosed.

CVE-2016-0189 has been exploited.

MS16-052

The most interesting aspect of this month’s Microsoft Edge security bulletin is likely the name change that occurs with one of the CVEs contained in both MS16-051 and MS16-052. As we’ve pointed out previously, there are three typical naming conventions used by Microsoft in these browser bulletins: Microsoft Edge <vuln>, Internet Explorer <vuln>, or Microsoft Browser (when both are affected). CVE-2016-0192, found in both bulletins, was transcribed incorrectly under vulnerability information as ‘Microsoft Edge’, it does, however, affect both browsers.

MS16-053

MS16-053 resolves two vulnerabilities also referenced in MS16-051. Determining the update to install requires reviewing the details under the Update FAQ in MS16-053. Customers running IE 7 or without IE installed require this update.

CVE-2016-0189 has been exploited.

MS16-054

Up next, we have the monthly Microsoft office bulletin, which includes Word Automation Services for SharePoint Server 2010 and Office WebApps 2010. It’s important to note that for more versions of Office, there are two patches to apply to fully resolve the vulnerabilities discussed in this bulletin.

MS16-055

This bulletin resolves a number of vulnerabilities related to Windows GDI. There are two important points to note here. First, there are three patches that need to be applied for many operating systems in order to be fully secured. Secondly, that there are web-based attack vectors for some of these vulnerabilities.

MS16-056

Up next, we have an update for Windows Journal. If you do not need Windows Journal, you should disable the feature on operating systems that permit it. Additionally, unless you are frequent Windows Journal user, you should avoid files with the .jnt extension or, if possible, remove the file association.

MS16-057

A single vulnerability in Windows Shell is resolved with MS16-057. As with many updates this month, Microsoft describes a web-based attack scenario.

MS16-058

There’s definitely a moment of fear when you see a bulletin with IIS in the title. Thankfully, there is not a remote attack vector with this vulnerability; instead we’re looking at a DLL loading issue that requires the attacker plant a malicious library on the local system. This greatly reduces the impact this vulnerability should play within most organizations.

MS16-059

MS16-059 fixes a vulnerability in Windows Media Center that involves .mcl files. Much like the Windows Journal update above, the best advice in this situation (beyond patching, of course) is to remove the file association for .mcl files, most users will never need this file association.

MS16-060

A single vulnerability in the Windows Kernel is resolved with MS16-060. This is a privilege escalation vulnerability, which would require that the attacker already have access to the system.

MS16-061

Up next, we have a single vulnerability affecting the RPC Network Data Representation (NRD) Engine, the marshaling engine used in RPC and DCOM. Note that the same patch released to fix MS16-060 resolves this vulnerability.

MS16-062

The expected Kernel-Mode Drivers update this month is described by MS16-062. This is a staple monthly update at this point and nothing here should surprise administrators at this point.

MS16-063

MS16-063 is the case of the disappearing bulletin. Microsoft briefly released the details and then pulled the bulletin, replacing it with two words ‘Content Placeholder’. There’s no word yet on why the bulletin went missing or when it will reappear but we can tell you that it resoled four vulnerabilities in Microsoft Exchange; one affecting OWA and three affecting Oracle Outside In, which had been mentioned in the Oracle January 2016 CPU.

MS16-064

Following the missing bulletin, we have the out-of-sync bulletins. MS16-064 is Microsoft’s Adobe Flash patch and it references APSB16-15, which, at this time, has not been released. Instead, Adobe has released APSA16-02, which references a CVE not included in MS16-064. It would appear that Adobe has withheld their bulletin to address an additional vulnerability (which has been seen in the wild). This means that when we see APSB16-15 later this week, it may resolve more vulnerabilities than MS16-064. It’ll be interesting to see if Microsoft re-releases MS16-064, issues an out-of-band for CVE-2016-4117, or waits until next month to bring the patches back in sync.

MS16-065

Up next, we have the .NET update, another monthly staple. The update is rather interesting as it fixes an SSL/TLS information disclosure best described by Microsoft in KB3155464:

The change introduced in Microsoft Security Bulletin MS16-065 causes the first TLS record after the handshake to be split. This causes the SslStream, WebRequest (HttpWebRequest, FtpWebRequest), SmtpClient, and HttpClient (where based on HttpWebRequest) streams to return a single byte for the first read, immediately followed by the rest (n-1) bytes in successive reads. This behavior change only occurs for applications that use TLS 1.0 + Cipher Block Chaining, but not when they use TLS 1.1 or TLS 1.2.

Microsoft also notes that you must install MS12-006 to enable this update.

CVE-2016-0149 has been publicly disclosed.

MS16-066

The penultimate update this month allows attackers to bypass code integrity protections via kernel-mode pages incorrectly marked with read, write, and execute (RXW) even when Hypervisor Code Integrity (HVCI) is enabled.

MS16-067

The final update this month fixes an issue with mounting USB storage over Remote Desktop Protocol (RDP) via Microsoft RemoteFX. The mounted USB storage is not limited to the user that mounts it, allowing other users of the system to gain access to the contents of the USB storage device.

Additional Details

Adobe has released APSB16-14 to address vulnerabilities in Adobe Acrobat and Reader. Additionally, they’ve released APSA16-02, to announce the pending release of an update for Adobe Flash.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.