Microsoft Patch Tuesday, January 2016

It's a new year and with it comes a fresh batch of CVEs. As expected this January's Patch Tuesday is the lightest month since last January with only 9 Bulletins with 18 unique CVEs. Several of the CVEs are shared between bulletins. Six of the bulletins are rated Critical with the other three rated Important. Internet Explorer and Microsoft Edge Web Browsers show up with two CVEs each, but only three of them are unique. CVE-2016-0002, a vulnerability in the VBScript scripting engine, is shared between Edge and IE and appears in its own bulletin MS16-003. The other Critical bulletins cover Microsoft Office, Silverlight and a remote code execution vulnerability in the Windows Kernel Mode Driver. Specifically the vulnerability rests in the Graphics Device Interface which could be exploited by a user browsing to a malicious website. Even though it's a light month, administrators should make sure that these updates are applied. Given that all of the critical vulnerabilities are in client software, this is a dangerous month for your average user.

Today also marks the End of Support for all Internet Explorer versions except the most current, Internet Explorer 11. If you are still using older versions of Internet Explorer, this is the time to upgrade.

MS16-001
CVE-2016-0002, CVE-2016-0005
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 7 (IE 7) through Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7) through Internet Explorer 11 (IE 11) on affected Windows servers.

MS16-002
CVE-2016-0003, CVE-2016-0024
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-003
CVE-2016-0002
Critical
Cumulative Security Update for JScript and VBScript to Address Remote Code Execution

This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for affected versions of the VBScript scripting engine on supported editions of Windows Vista, Windows Server 2008, and Server Core installations of Windows Server 2008 R2.

MS16-004
CVE-2015-6117, CVE-2016-0010, CVE-2016-0011, CVE-2016-0012, CVE-2016-0035
Critical
Security Update for Microsoft Office to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016

MS16-005
CVE-2016-0008, CVE-2016-0009
Critical
Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user visits a malicious website.

This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2; it is rated Important for all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows 10 Version 1511.

MS16-006
CVE-2016-0034
Critical
Security Update for Silverlight to Address Remote Code Execution

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force users to visit a compromised website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or instant message that takes users to the attacker's website.

This security update is rated Critical for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows

MS16-007
CVE-2016-0014, CVE-2016-0015, CVE-2016-0016, CVE-2016-0018, CVE-2016-0019, CVE-2016-0020
Important
Security Update for Microsoft Windows to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-008
CVE-2016-0006, CVE-2016-0007
Important
Security Update for Kernel to Address Elevation of Privilege

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-010
CVE-2016-0029, CVE-2016-0030, CVE-2016-0031, CVE-2016-0032
Important
Security Update for Exchange server to Address Spoofing

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow spoofing if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.