5Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for March 2016.

 

Welcome to the March Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins. For this month, Five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Eight (8) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number. 

 

This month’s patches include the following:

 

NOTE: As of this posting McAfee Labs Advisory documents were not posted on the community site. Once they are posted you’ll find them here.  

                                                                 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

 

MS16-023 3142015 Cumulative Security Update for Internet Explorer CriticalMemory Corruption Vulnerability MTIS16-023 Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
Under Analysis:
  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-024

3142019Cumulative Security Update for Internet Explorer and Microsoft EdgeCriticalMemory Corruption VulnerabilityMTIS16-023Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0253140709Security Update for Windows Library LoadingImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0263144148Security Update for Graphic FontsCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise
MS16-0273143146Security Update for Windows Media PlayerCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise
MS16-0283143081Security Update for Microsoft Windows PDF LibraryCriticalRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Application Control
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0293141806Security Update for Microsoft OfficeImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0303143136Security Update for Windows OLEImportantRemote Code ExecutionMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
  • Host IPS
  • BOP
  • Application Control
Under Analysis:
  • Firewall Enterprise
MS16-0313140410Security Update for Microsoft WindowsImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0323143141Security Update to Secondary LogonImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0333143142Security Update for Windows USB Mass Storage Class DriverImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0343143145Security Update for Windows Kernel-Mode DriversImportantElevation of PrivilegeMTIS16-024Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
Under Analysis:
  • Firewall Enterprise
MS16-0353141780Security Update for .NET FrameworkImportantSecurity Feature BypassMTIS16-024Covered Products:
  • Vulnerability Manager 
Under Analysis:
  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-023 (CVE-2016-0102 thru 0114)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The security update addresses the vulnerabilities by:

    • Modifying how Internet Explorer handles objects in memory

 

MS16-024 (CVE-2016-0102, 0105, 0109, 0110, 0111, 0116, 0119, 0123, 0124, 0125, 0129, and 0130)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerability by:

    • Modifying how Microsoft Edge handles objects in memory
    • Changing how Microsoft Edge handles the referrer policy

  

MS16-025 (CVE-2016-0100)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Windows fails to properly validate input before loading certain libraries. However, an attacker must first gain access to the local system with the ability to execute a malicious application.

The security update addresses the vulnerability by correcting how Windows OLE validates input on library load.

 

MS16-026 (CVE-2016-0120 and 0121)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker either convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts. This security update is rated Critical for all supported editions of Windows.

The security update addresses the vulnerabilities by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

 

MS16-027(CVE-2016-0098, and 0101)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens specially crafted media content that is hosted on a website. This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The security update addresses the vulnerabilities by correcting how Windows handles resources in the media library.

 

MS16-028 (CVE-2016-0117 and 0118)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

An attacker who successfully exploited these vulnerabilities could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

The update addresses the vulnerabilities by modifying how Windows parses .PDF files.

 

MS16-029 (CVE-2016-0021, 0057, and 0134)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by:

    • Correcting how Office handles objects in memory
    • Providing a validly signed binary

 

 

MS16-030 (CVE-2016-0091 and 0092) 

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message. This security update is rated Important for all supported editions of Windows.

The security update addresses the vulnerability by correcting how Windows OLE validates user input.

 

MS16-031 (CVE-2016-0087)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker is able to log on to a target system and run a specially crafted application. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

The security update addresses the vulnerability by correcting how Windows validates impersonation events.

 

MS16-032 (CVE-2016-0099)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Secondary Logon Service fails to properly manage request handles in memory. This security update is rated Important for all supported editions of Windows.

The security update addresses the vulnerability by correcting how Windows manages request handles in memory.

 

MS16-033 (CVE-2016-0133)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system. This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The security update addresses the vulnerability by correcting how Windows handles objects in memory.

 

MS16-034 (CVE-2016-0093 thru 0096)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows.

The security update addresses the vulnerabilities by correcting how Windows handles objects in memory.

 

MS16-035 (CVE-2016-0132)

This security update resolves a vulnerability in Microsoft .NET Framework. The security feature bypass exists in a .NET Framework component that does not properly validate certain elements of a signed XML document. This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links: 

 

You can also review the Microsoft Summary for March 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman