Hello everyone,

   

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for February 2016.  

 

Welcome to the February Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins including one from Adobe for flash. For this month, Five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

   

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

   

This month’s patches include the following:       

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage


MS16-009

3134220

Cumulative Security Update for Internet Explorer

Critical

Memory Corruption & Elevation of Privileges

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
  • DAT

Under Analysis:

  • Firewall Enterprise

 

MS16-011

3134225

Cumulative Security Update for Microsoft Edge

Critical

Memory Corruption

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • NSP
  • Application Control
  • DAT

Under Analysis:

  • Firewall Enterprise

MS16-012

3138938

Security Update for Microsoft Windows PDF Library

Critical

Buffer Overflow

MTIS16-015

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-013

3134811

Security Update to Windows Journal

Critical

Memory Corruption and Remote Code Execution

MTIS16-015

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-014

3134228

Security update for Microsoft Windows

Important

Remote Code Execution

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise
  • BOP
  • Application Control
  • DAT
  • Web Gateway
  • Host IPS

MS16-015

3134226

Security Update for Microsoft Office

Important

Remote Code Execution

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
  • DAT

Under Analysis:

  • Firewall Enterprise

MS16-016

3136041

Security Update for WebDAV

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • Host IPS

Under Analysis:

  • Firewall Enterprise

MS16-017

3134700

Security Update for Remote Desktop Display Driver

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-018

3136082

Security Update for Windows Kernel-Mode Driver

Important

Elevation of Privilege

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-019

3137893

Security Update for .NET Framework

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-020

3134222

Security Update for Active Directory

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-021

3133043

Security Update for Network Policy Server RADIUS implementation

Important

Denial of Service

MTIS16-016

Covered Products:
  • Vulnerability Manager 

Under Analysis:

  • Firewall Enterprise

MS16-022

3135782

Security Update for Adobe Flash Player

Critical

Remote Code Execution

APSB16-04


 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

   

MS16-009 (CVE-2016-0059 thru 0065, 0067 thru 0069, 0071, 0072, and 0086)

  This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

 

    • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
    • Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.
    • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.

 

As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

 

MS16-011 (CVE-2016-0061, 0062, 0077, 0080, 0082, 0083, and 0084)

  This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The update addresses the vulnerability by:

  • Correcting how Microsoft Edge parses HTTP responses
  • Modifying how Microsoft Edge handles objects in memory
  • Helping to ensure that affected versions of Microsoft Edge properly implement the ASLR security feature

 

MS16-012 (CVE-2016-0046 and 0058)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. However, an attacker would have no way to force users to download or open a malicious PDF document.

 

MS16-013 (CVE-2016-0038)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   

MS16-014(CVE-2016-0040, 0041, 0042, 0044, and 0049)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

 

The security update addresses the vulnerabilities by:

  • Correcting how the Windows kernel handles objects in memory
  • Correcting how Windows validates input before loading DLL files
  • Correcting how Microsoft Sync Framework validates input
  • Adding an additional authentication check

 

MS16-015 (CVE-2016-0022, 0039, 0052, and 0053 thru 0057) 

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The security update addresses the vulnerabilities by:

  • Correcting how Office handles objects in memory
  • Providing a validly signed binary
  • Helping to ensure that SharePoint Server properly sanitizes web requests

  

MS16-016 (CVE-2016-0051)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.


MS16-017 (CVE-2016-0036)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.


MS16-018 (CVE-2016-0048)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

 

MS16-019 (CVE-2016-0033 and 0047)

This security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

 

MS16-020 (CVE-2016-0037)

This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.

This security update is rated Important for ADFS 3.0 when installed on x64-based editions of Windows Server 2012 R2.

 

MS16-021 (CVE-2016-0050)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS.
This security update is rated Important for all supported editions of Windows Server 2008 (excluding Itanium), and Windows Server 2008 R2 (excluding Itanium), and all supported editions of Windows Server 2012 and Windows Server 2012 R2.

 

MS16-022 (CVE-2016-0964 thru 0985)

Finally, This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.


NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

 

 

 

 

You can also review the Microsoft Summary for December 2015 at the Microsoft site.

 

 

Safe Computing!

Thank you,

Kelly Housman