Microsoft Patch Tuesday, April 2016

April is here and with it comes a new Patch Tuesday. This month Microsoft is releasing 13 bulletins for a total of 29 unique CVEs. The bulletins are fairly evenly divided with 6 rated Critical and 7 rated Important. Internet Explorer and Edge make their monthly showing with some particularly vicious vulnerabilities including remote code execution and, in the case of Edge, a universal cross-site scripting (UXSS) vulnerability that affects any website visited. There is also a Denial of Service vulnerability in HTTP.sys, which, while only rated as Important, could certainly give some web admins a headache.

Badlock

Of course the big news this Patch Tuesday is Badlock. Badlock was announced with much fanfare three weeks ago on March 22. The announcement came with a dedicated domain and webpage, a cool icon and a code name. What the announcement did not come with were any details on the nature of the bug. That gave the security community three weeks to get worked up about whether this vulnerability was going to be big or a bust. Well, we now know the details and I'm guessing most people will consider Badlock a bust.

The vulnerability (MS16-047 / CVE-2016-0128) is a man in the middle (MITM) attack on specific RPC traffic. An attacker that's properly placed can listen in on RPC traffic and force a session to downgrade its authentication level. This allows a basic hijack of the session and a privilege escalation that could allow an attacker to full access to administrative tasks and the user database (SAM) on the remote server.

This is certainly is a concern and admins should patch their systems as early as possible. However I can't say that this vulnerability rises to any level that deserves the focus that a dedicated website and three weeks of buildup have given Badlock.

The very fact that it is a MITM attack limits the severity greatly. Any attack requires a pre-authenticated session. Also the vulnerability also doesn't affect all SMB traffic. It only affects those open, authenticated sessions using SMB to authenticate a system or to manage users or policies on a remote system (specifically the SAMR or LSAD remote protocols). Any effective attack requires the attacker to be in the right place at the right time.

As silly as they may seem to some in the industry, celebrity vulnerabilities can be very useful. It can be easier to communicate a vulnerability with a name rather than a number like a CVE designation. The prime example and the standard most celebrity vulnerabilities are put to is Heartbleed. Heartbleed was a critical vulnerability and the name, website and icon helped draw attention to it. It could be argued that more servers were patched in a quicker time because of the high profile brought by the name.

Since Heartbleed, however, the bulk of these celebrity vulnerabilities have been more or less non-issues. I'm not saying that these aren't vulnerabilities that could cause a breach or data loss. However the large portion of them stole the spotlight from much more critical vulnerabilities and that is a problem.

Even in this case of Badlock there are more critical vulnerabilities being patched today, but I've now spent most of my (and your) time on one rated Important. For instance there's a major critical vulnerability (CVE-2016-0158) in the new Microsoft Edge web browser that allows for Universal Cross-site scripting (UXSS). This means that any attacker can inject their own code into any website you might load. Banking sites, news sites, social networking… any site. That deserves the rating Critical and yet here we are talking about Badlock.

The other problem is that the type buildup we've seen with Badlock often forces sysadmin teams to waste valuable resources. These pre-releases force an "All Hands On Deck" situation in order to prepare for the worst-case scenario. While admin teams have been preparing to patch their servers for a major SMB vulnerability; while they have been auditing their firewall policies for SMB access, instead they should have been making sure that their clients running MS Edge are set to auto-update or that their client browsers aren't using Flash anymore. (as a side note, multiple critical bugs in Flash were also patched today)

I also don't think that celebrity vulnerabilities are necessarily the case of researchers cynically looking for the spotlight. Vulnerability research is hard. If you find a bug that could eventually let you download an entire SAM file? You'd probably pop the champagne too. And sometimes you might overestimate the impact of that bug and end up registering a domain name.

Researchers need to step back and look at their findings as sysadmins might, as an attacker might, because these celebrity vulnerabilities have become shiny objects drawing attention and resources away from more serious threats. The more and more of these non-critical celebrity vulnerabilities that come out and the less people will listen to them. There was once a fable about this sort of thing. You've probably heard it. Something about a shepherd boy looking for attention and crying wolf? If you think you've found THAT vulnerability, that new Heartbleed, please stop and think before you hit your domain registrar. You could be causing more harm than good.

Here's the full run down on today's bulletins.

MS16-037
CVE-2016-0154, CVE-2016-0159, CVE-2016-0160, CVE-2016-0162, CVE-2016-0164, CVE-2016-0166
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers

MS16-038
CVE-2016-0154, CVE-2016-0155, CVE-2016-0156, CVE-2016-0157, CVE-2016-0158, CVE-2016-0161
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-039
CVE-2016-0143, CVE-2016-0145, CVE-2016-0165, CVE-2016-0167
Critical
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

This security update is rated Critical for:

  • All supported releases of Microsoft Windows
  • Affected versions of Microsoft .NET Framework on all supported releases of Microsoft Windows
  • Affected editions of Skype for Business 2016, Microsoft Lync 2013, and Microsoft Lync 2010

This security update is rated Important for all affected editions of Microsoft Office 2007 and Microsoft Office 2010.

MS16-040
CVE-2016-0147
Critical
Security Update for Microsoft XML Core Service

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user's system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

This security update is rated Critical for Microsoft XML Core Services 3.0 on all supported releases of Microsoft Windows.

MS16-041
CVE-2016-0148
Important
Security Update for .NET Framework

This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

This security update is rated Important for Microsoft .NET Framework 4.6 and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows

MS16-042
CVE-2016-0122, CVE-2016-0127, CVE-2016-0136, CVE-2016-0139
Critical
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-044
CVE-2016-0153
Important
Security Update for Windows OLE

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

This security update is rated Important for all supported editions of Microsoft Windows, except for Windows 10.

MS16-045
CVE-2016-0088, CVE-2016-0089, CVE-2016-0090
Important
Security Update for Windows Hyper-V

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

This security update is rated Important for all supported editions of Windows 8.1 for x64-based Systems, Windows Server 2012, Windows Server 2012 R2, and Windows 10 for x64-based Systems.

MS16-046
CVE-2016-0135
Important
Security Update for Secondary Logon

This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.

An elevation of privilege vulnerability exists in Microsoft Windows when the Windows Secondary Logon Service fails to properly manage requests in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker must first log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Secondary Logon Service handles requests in memory.

This security update is rated Important for all supported editions of Windows 10

MS16-047
CVE-2016-0128
Important
Security Update for SAM and LSAD Remote Protocols

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege because of the way that the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols establish the Remote Procedure Call (RPC) channel. This is the root vulnerability behind the Badlock bug.

This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 version 1511

MS16-048
CVE-2016-0151
Important
Security Update for CSRSS

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application. The vulnerability exists when the Client-Server Run-time Subsystem (CSRSS) fails to properly manage process tokens in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.

This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

MS16-049
CVE-2016-0150
Important
Security Update for HTTP.sys

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.

A denial of service vulnerability exists in the HTTP 2.0 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. The update addresses the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP 2.0 requests. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights.

This security update is rated Important for all supported editions of Microsoft Windows 10.

MS16-050
CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019
Critical
Security Update for Adobe Flash Player

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.