VERT Threat Alert: January 2016 Patch Tuesday Analysis | Tripwire

VERT Threat Alert: January 2016 Patch Tuesday Analysis

Posted on January 12, 2016
VERT Threat Alert: April 2017 Patch Tuesday Analysis
Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-652 on Wednesday, January 13th.  

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
 MS16-001 MS16-005 MS16-004 MS16-007
No Known Exploit
 MS16-002 MS16-003 MS16-006 MS16-010 MS16-008
Exposure
Local Availability
Local Access
Remote Availability
Remote Access
Local Privileged
Remote Privileged
 
MS16-001 Cumulative Security Update for Internet Explorer KB3124903
MS16-002 Cumulative Security Update for Microsoft Edge KB3124904
MS16-003 Cumulative Security Update for JScript and VBScript to Address Remote Code Execution KB2135540
MS16-004 Security Update for Microsoft Office to Address Remote Code Execution KB2134585
MS16-005 Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution KB3124584
MS16-006 Security Update for Silverlight to Address Remote Code Execution KB3126036
MS16-007 Security Update for Microsoft Windows to Address Remote Code Execution KB3124901
MS16-008 Security Update for Windows Kernel to Address Elevation of Privilege KB3124605
MS16-010 Security Update for Microsoft Exchange Server to Address Spoofing KB3124557
 

MS16-001

Although it’s a new year, we don’t really have any new faces. The first Microsoft bulletin of 2016 is exactly what everyone expected, an update to Internet Explorer. There are a few interesting points worth making with this update. First, this is the last time that updates will be available for older versions of Internet Explorer, more details on the IE Lifecycle can found here. Speaking of older versions of Internet Explorer, while none of the listed CVEs apply to Internet Explorer 7, patches are available. Finally, there’s a special note, which applies to all bulletins that include Windows 10, that states that Windows 10 users running Citrix XenDesktop will not be offered today’s update because it may prevent users from logging on. This is an important note for enterprises running XenDesktop. CVE-2016-0005 has been publicly disclosed.  

MS16-002

Since the first update of the year was for Internet Explorer, it only makes sense that the second update would be for Microsoft Edge. Once again, it’s important to note that the Windows 10 update will not be offered to hosts running Citrix XenDesktop.  

MS16-003

Up next, we have the JScript & VBScript update. As always, Microsoft provides additional guidance on which updates apply to your system as this update shares a CVE with MS16-001 and the update that you require depends on the version of Internet Explorer that you are running.  

MS16-004

The next update this month includes updates for Microsoft Office, SharePoint Server, and the Microsoft Visual Basic 6.0 Runtime. CVE-2016-0035 has been publicly disclosed. CVE-2015-6117 has been publicly disclosed.  

MS16-005

MS16-005 updates a pair of Windows Kernel-Mode Drivers, specifically Win32k.sys and GDI32.dll. This is another bulletin that contains the note explained above in MS16-001, the Windows 10 update will not be offered to systems running Citrix XenDesktop. CVE-2016-0009 has been publicly disclosed.  

MS16-006

A vulnerability in Microsoft Silverlight is addressed in MS16-006. It’s important to note that Silverlight should be considered obsolete unless you need it for a specific application. As VERT has suggested in the past, review your applications and if you don’t require Silverlight, you should uninstall it rather than applying MS16-006.  

MS16-007

This update is a mixed bag with multiple different components rolled into the generic “Windows” title. This includes DLL loading vulnerabilities, code execution in Direct Show, MAPI DLL Loading privilege escalation, and a security bypass vulnerability in RDP on Windows 10. First, let’s point out that the inclusion of Windows 10 means that the note regarding Citrix XenDesktop is reiterated here. CVE-2016-0019 warrants additional commentary. This vulnerability, affecting RDP on Windows 10, could allow an attacker to log into accounts that don’t have a password set. CVE-2016-0016 has been publicly disclosed. CVE-2016-0018 has been publicly disclosed.  

MS16-008

The penultimate update this month (because MS16-009 has been withheld) resolves two privilege escalation vulnerabilities within Windows Mount Point. As with many other bulletins this month, this bulletin contains a note that users with Citrix XenDesktop will not be offered the Windows 10 update.  

MS16-010

The final bulletin this month contains four Microsoft Exchange spoofing vulnerabilities. The descriptions of these vulnerabilities reads more like cross-site scripting issues exploitable via OWA than spoofing.  

Additional Details

Adobe has released APSB16-02 to address multiple vulnerabilities in Adobe Acrobat and Reader. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!