Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for May 2016.

 

   Welcome to the May Patch Tuesday update. This is a busy month, Microsoft released a total of Sixteen (16)! new security bulletins. Including one for systems with Adobe Flash player installed. For this month, Eight (8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eight (8) are rated Important.

 

 

Clarification of the Intel Security Coverage column in the table below

   Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

   

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-051 3155533Cumulative Security Update for Internet Explorer Critical - Security Bypass

- Memory Corruption

- Information Disclosure
MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise
MS16-052 3155538Cumulative Security Update for Microsoft EdgeCriticalMemory Corruption MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0533156764Security Update for Jscript and VBScriptCriticalMemory CorruptionMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
  • BOP
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0543155544Security Update for Microsoft OfficeCritical- Memory Corruption

- Graphics Remote Code Execution

MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-055

3156754Security Update for Graphics ComponentCritical-Remote Code Execution

- Information Disclosure

MTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS
  • Application Control
Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway
MS16-0563156761Security Update for Windows Journal CriticalMemory Corruption MTIS16-038Covered Products:
  • Vulnerability Manager
  • BOP
  • Application Control
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0573156987Security Update for Windows ShellCriticalRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
Under Analysis:
  • Firewall Enterprise
MS16-0583141083Security Update for Windows IISImportantRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0593150220Security Update for Windows Media CenterImportantRemote Code ExecutionMTIS16-038Covered Products:
  • Vulnerability Manager
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0603154846Security Update for Windows KernelImportantElevation of PrivilegeMTIS16-038Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0613155520Security Update for Windows RPCImportantEngine Elevation of PrivilegeMTIS16-038Covered Products:
  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP
Under Analysis:

Firewall Enterprise

MS16-0623158222Security Update for Windows Kernel-Mode DriversImportantElevation of PrivilegeMTIS-039Covered Products:
  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

Firewall Enterprise

MS16-0643157993Security Update for Adobe Flash PlayerCritical

N/A

N/A

N/A

MS16-0653156757Security Update for .NET FrameworkImportantInformation DisclosureMTIS-039Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0663155451Security Update for Virtual Secure ModeImportantSecurity Feature BypassMTIS-039Covered Products:
  • Vulnerability Manager
Under Analysis:
  • Firewall Enterprise
MS16-0673155784Security Update for Volume Manager Driver (USB over RDP)ImportantInformation DisclosureMTIS-039Covered Products:
  • Vulnerability Manager

Under Analysis:

Firewall Enterprise

 

 

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

   

MS16-051 (CVE-2016-0187, 0188, 0189, 0192, and 0194)

  The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

 

MS16-052 (CVE-2016-0186, 0191, 0192, and 0193)

  The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. This security update is rated Critical for Microsoft Edge on Windows 10.

  The update addresses the vulnerability by:

    • Modifying how Microsoft Edge handles objects in memory.
    • Ensuring that cross-domain policies are properly enforced in Microsoft Edge.

 

MS16-053 (CVE-2016-0187 and 0189)
The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

 

MS16-054 (CVE-2016-0126, 0140, 0183, and 0198)

The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

The security update addresses the vulnerabilities by correcting how Office handles objects in memory, and by correcting how the Windows font library handles embedded fonts.

 

MS16-055(CVE-2016-0168, 0169, 0170, 0184, and 0195)

The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how the Windows GDI component and the Windows Imaging Component handle objects in memory.

 

MS16-056 (CVE-2016-0182)

The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The update addresses the vulnerability by modifying how Windows Journal parses Journal files.

 

MS16-057 (CVE-2016-0179)

The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content.
The security update addresses the vulnerability by modifying how Windows Shell handles objects in memory.

MS16-058 (CVE-2016-0152)

To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application.
The security update addresses the vulnerability by correcting how Windows validates input when loading certain libraries.

 

MS16-059 (CVE-2016-0185)

The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.

 

MS16-060 (CVE-2016-0180)

The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerability by correcting how the Windows kernel parses symbolic links.

 

MS16-061 (CVE-2016-0178)

The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

The security update addresses the vulnerability by modifying the way that Microsoft Windows handles RPC messages.

 

MS16-062 (CVE-2016-0171 thru 0176, 0196, and 0197)

The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

The security update addresses the vulnerabilities by correcting:

    • How the Windows kernel-mode driver handles objects in memory.
    • How the Windows kernel handles memory addresses.
    • The way in which the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.

  

MS16-064 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

MS16-065 (CVE-2016-0149)

The vulnerability could cause information disclosure if an attacker injects unencrypted data in the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server.

The security update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.

 

MS16-066 (CVE-2016-0181)

The vulnerability could allow a security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows.

The update addresses the vulnerability by correcting the security feature’s behavior to preclude incorrect marking of RWX pages under HVCI.

 

MS16-067 (CVE-2016-0190)

The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

The security update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links.

 

You can also review the Microsoft Summary for May 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman