Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for April 2016.

   

Welcome to the April Patch Tuesday update. This month Microsoft released a total of Thirteen (13) new security bulletins. Including one for systems with Adobe Flash player installed. For this month, Six (6) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow remote code execution. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other Seven (7) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-037

3148531

Cumulative Security Update for Internet Explorer

Critical

Memory Corruption Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-038

3148532

Cumulative Security Update for Internet Explorer and Microsoft Edge

Critical

Memory Corruption Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • NSP
  • Application Control
  • BOP
  • Host IPS

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-039

3148522

Security Update for Windows Win32k Graphics

Critical

Privilege Escalation

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-040

3148541

Security Update for MSXML

Critical

Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • NSP
  • BOP
  • Host IPS

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-041

3148789

Security Update for .NET Framework

Important

Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-042

3148775

Security Update for Microsoft Office

Critical

Memory Corruption Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • NSP
  • BOP
  • Application Control
  • Host IPS

Under Analysis:

  • Firewall Enterprise

MS16-044

3146706

Security Update for Microsoft OLE

Important

Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-045

3143118

Security Update for Windows Hyper-V

Important

Remote Code Execution

MTIS16-032

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-046

3148538

Security Update for Windows Secondary Logon

Important

Privilege Escalation

MTIS16-033

Covered Products:

  • Vulnerability Manager
  • BOP
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

   Firewall Enterprise

MS16-047

3148527

Security Update for SAM and LSAD Remote Protocols

Important

Privilege Escalation

MTIS16-033

Covered Products: 

  • Vulnerability Manager
  • NSP

Under Analysis:

   Firewall Enterprise

MS16-048

3148528

Security Update for Windows CSRSS

Important

Security Bypass

MTIS16-033

Covered Products: 

  • Vulnerability Manager
  • NSP

Under Analysis:

   Firewall Enterprise

MS16-049

3148795

Security Update for Windows HTTP.sys (IIS)

Important

Denial of Service

MTIS16-033

Covered Products: 

  • Vulnerability Manager

Under Analysis:

   Firewall Enterprise

MS16-50

3154132

Security Update for Adobe Flash Player

Critical

Code Execution and memory access

MTIS-031

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • Application Control
  • NSP

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway
  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-037 (CVE-2016-0154, 0159, 0160, 0162, 0164, and 0166)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The security update addresses the vulnerabilities by:

  • Modifying how Internet Explorer handles objects in memory
  • Correcting how Internet Explorer validates input before loading DLL files
  • Helping to restrict what information is returned to Internet Explorer

 

MS16-038 (CVE-2016-0154 thru 0158, and 0161)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

The update addresses the vulnerability by:

  • Modifying how Microsoft Edge handles objects in memory.
  • Ensuring that cross-domain policies are properly enforced in Microsoft Edge.

 

MS16-039 (CVE-2016-0143, 0145, 0165, and 0167)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Windows fails to properly validate input before loading certain libraries. However, an attacker must first gain access to the local system with the ability to execute a malicious application.

The security update addresses the vulnerability by correcting how Windows OLE validates input on library load.

 

MS16-040 (CVE-2016-0147)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

This security update is rated Critical for Microsoft XML Core Services 3.0 on all supported releases of Microsoft Windows.

 

The update addresses the vulnerability by correcting how the MSXML parser processes user input.

 

MS16-041(CVE-2016-148)

This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

This security update is rated Important for Microsoft .NET Framework 4.6 and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

The security update addresses the vulnerability by correcting how correcting how .NET validates input on library load.

 

MS16-042 (CVE-2016-0122, 0127, 0136, and 0139)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The security update addresses the vulnerabilities by correcting how Office handles objects in memory.

 

MS16-044 (CVE-2016-0153)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

The security update addresses the vulnerability by correcting how Windows OLE validates user input.

 

MS16-045 (CVE-2016-0088, 0089, and 0090)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

 

The security update addresses the vulnerabilities by correcting how Hyper-V validates guest operating system user input.

 

MS16-046 (CVE-2016-0135)

This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. This security update is rated Important for all supported editions of Windows 10.

The security update addresses the vulnerability by correcting how Windows Secondary Logon Service handles requests in memory.

 

MS16-047 (CVE-2016-0128)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the RPC channel and impersonate an authenticated user.

 

The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.

 

MS16-048 (CVE-2016-0151)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.

 

The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.

 

MS16-049 (CVE-2016-0150)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.

This security update is rated Important for all supported editions of Microsoft Windows 10.

The update addresses the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP 2.0 requests.

 

MS16-050 (CVE-2016-1006,1011 thru 1019)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

 

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for April 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman