Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-660 on Wednesday, March 9th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
 MS16-035
MS16-023
MS16-024
MS16-025
MS16-027
MS16-028
MS16-029
MS16-030
MS16-026
MS16-031
MS16-032
MS16-033
MS16-034
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-023 Cumulative Security Update for Internet Explorer KB3142015
MS16-024 Cumulative Security Update for Microsoft Edge KB2142019
MS16-025 Security Update for Windows Library Loading to Address Remote Code Execution KB2140709
MS16-026 Security Update for Graphic Fonts to Address Remote Code Execution KB3143148
MS16-027 Security Update for Windows Media to Address Remote Code Execution KB3143146
MS16-028 Security Update for Microsoft Windows PDF Library to Address Remote Code Execution KB3143081
MS16-029 Security Update for Microsoft Office to Address Remote Code Execution KB3141806
MS16-030 Security Update for Windows OLE to Address Remote Code Execution KB3143136
MS16-031 Security Update for Microsoft Windows to Address Elevation of Privilege KB3140410
MS16-032 Security Update for Secondary Logon to Address Elevation of Privilege KB3143141
MS16-033 Security Update for Windows USB Mass Storage Class Driver KB3143142
MS16-034 Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege KB3143145
MS16-035 Security Update for .NET Framework to Address Security Feature Bypass KB3141780


MS16-023

As with most months, we start of this month with the regular Internet Explorer cumulative update. With a total of 13 vulnerabilities fixed, we can see, thanks to Microsoft’s vulnerability naming standard, that 5 of the CVEs apply to both Internet Explorer and Edge, while the other 8 are Internet Explorer specific. These bulletins serve as a good reminder that it’s important to practice the principle of least privilege. The risk to systems is greatly increased when running the browser as an administrator instead of a standard user.

MS16-024

The second bulletin this month is cumulative update for Microsoft Edge that almost always accompanies the IE cumulative update. There are 6 Edge specific vulnerabilities in addition to the 5 vulnerabilities that are shared with Internet Explorer and none of them have been exploited or disclosed publicly, something common to all the bulletins this month.

MS16-025

The single vulnerability resolved by MS16-025 affects Windows Vista and Server 2008 and requires that a malicious application be executed on the target system. Windows Vista and Server 2008 represent older platforms with fewer security hardening options than modern Windows operating systems and users of these platforms should consider upgrading to a more modern operating system.

MS16-026

OpenType Fonts were a popular target in 2015 and it looks like they will continue to be targeted by researchers in 2016. While one of the two resolved vulnerabilities is a denial of service, the other vulnerability could be used in a Drive-By Download scenario.

MS16-027

Next up are two vulnerabilities that affect the parsing of media content in Windows. Much like MS16-026, these vulnerabilities could be used in a Drive-By Download by hosting the media files on a web server that the victim visits.

MS16-028

The next vulnerability this month resolves two vulnerabilities affecting the PDF library that ships with modern versions of Windows. As always, refrain from opening files from unknown sources, as malicious PDF files will be used to exploit this vulnerability.

MS16-029

This month’s Microsoft Office bulletin contains fixes for two memory corruption vulnerabilities and an improperly signed binary. Successful exploitation of the security feature bypass, which involves replacing the improperly signed binary, requires that the attacker have write access to the binary location. Additionally, a defense in depth update has been published as part of this bulletin and Microsoft has included details on editing the registry to disable OLE Package functionality in Outlook.

MS16-030

Given the ability to disable the OLE Package functionality in Outlook in MS16-029, it’s likely that the addition of this workaround was inspired by the vulnerabilities in MS16-030. These vulnerabilities allow for code execution when OLE fails to properly validate user input.

MS16-031

Successful exploitation of the single CVE referenced in MS16-031, CVE-2016-0087 could allow an attacker to execute code as System on Windows Vista, Windows 7, Windows Server 2008 and Server 2008 R2.

MS16-032

Windows Secondary Logon, better known a RunAs, allows users to run specific commands with elevated privileges rather than logging into another account, for example Administrator, directly. This command is akin to sudo is the UNIX/Linux world. This update resolves a flaw in memory handling that allows an attacker with access to a system could use the secondary logon services to elevate their privileges.

MS16-033

One of the more interesting aspects of MS16-033 is that rather than a specially crafted program or packet, the attacker must use a specially crafted USB device. This is one of the more interesting bulletins this month as it means the attacker must have physical access to the system but could simply walk by and plug in a device. Businesses with kiosks and customer facing systems with exposed USB ports should make resolving this vulnerability a priority.

MS16-034

A monthly regular, the penultimate update this month resolves four vulnerabilities affecting Win32k.sys. Successful exploitation of these vulnerabilities could lead to kernel-mode code execution.

MS16-035

The final update this month resolves a signature validation issue in .NET that could allow an attacker to modify the contents of XML files without invalidating the files signature. This is an important update for anyone that has .NET code that works with XML files.

Additional Details

Adobe has released APSB16-09 to address multiple vulnerabilities in Acrobat and Reader. Mozilla has released Firefox 45 to address a number of vulnerabilities in Firefox.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.