Microsoft Patch Tuesday, March 2016

Today is March's Patch Tuesday with 13 bulletins and 39 unique CVEs, which is about the same level of release as we received in February. This includes five bulletins rated Critical and the remaining eight rated Important. As always, both Internet Explorer and Edge make a showing on the critical list. Malicious fonts are back with a remote code execution vulnerability. Windows PDF library and Windows Media player also patch critical remote code execution vulnerabilities this month.

Among the bulletins rated Important, half are privilege escalation vulnerabilities. This includes common vectors like in the Windows Kernel-Mode Drivers and the Windows Logon service. A slightly more interesting escalation vulnerability resides in a Windows USB driver. An attacker could gain root access to a Windows system by simply inserting a malicious USB device. If easily exploitable, expect to see this become a common tool in every pentester's toolkit.

MS16-023
CVE-2016-0102, CVE-2016-0103, CVE-2016-0104, CVE-2016-0105, CVE-2016-0106, CVE-2016-0107, CVE-2016-0108, CVE-2016-0109, CVE-2016-0110, CVE-2016-0111, CVE-2016-0112, CVE-2016-0113, CVE-2016-0114
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS16-024
CVE-2016-0102, CVE-2016-0105, CVE-2016-0109, CVE-2016-0110, CVE-2016-0111, CVE-2016-0116, CVE-2016-0123, CVE-2016-0124, CVE-2016-0125, CVE-2016-0129, CVE-2016-0130
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-025
CVE-2016-0100
Important
Security Update for Windows Library Loading to Address Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Windows fails to properly validate input before loading certain libraries. However, an attacker must first gain access to the local system with the ability to execute a malicious application.

This security update is rated Important for Windows Vista and Windows Server 2008

MS16-026
CVE-2016-0120, CVE-2016-0121
Critical
Security Update for Graphic Fonts to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker either convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts.

This security update is rated Critical for all supported editions of Windows.

MS16-027
CVE-2016-0098, CVE-2016-0101
Critical
Security Update for Windows Media Player to address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens specially crafted media content that is hosted on a website. To exploit the vulnerabilities, an attacker could host media content on a website or send an attachment in an email and then convince a user to open it. An attacker who successfully exploited the vulnerabilities could take control of an affected system remotely. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

MS16-028
CVE-2016-0117, CVE-2016-0118
Critical
Security Update for Microsoft Windows PDF Library to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file.

An attacker who successfully exploited these vulnerabilities could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10.

MS16-029
CVE-2016-0021, CVE-2016-0057, CVE-2016-0134
Important
Security Update for Microsoft Office to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-030
CVE-2016-0091, CVE-2016-0092
Important
Security Update for Windows OLE to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

This security update is rated Important for all supported editions of Windows.

MS16-031
CVE-2016-0087
Important
Security Update for Microsoft Windows to Address Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows. An elevation of privilege vulnerability exists when Microsoft Windows fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass impersonation-level security checks and gain elevated privileges on a targeted system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerability by correcting how Windows validates impersonation events.

This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

MS16-032
CVE-2016-0099
Important
Security Update to Secondary Logon to Address Elevation of Privilege

An elevation of privilege vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows manages request handles in memory.

This security update is rated Important for all supported editions of Windows.

MS16-033
CVE-2016-0133
Important
Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege

This security update resolves an elevation of privilege vulnerability in Microsoft Windows when the Windows USB Mass Storage Class driver fails to properly validate objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to have physical access to the system. An attacker could then insert a specially crafted USB device that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows USB Mass Storage Class driver handles objects in memory.

This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

MS16-034
CVE-2016-0093, CVE-2016-0094, CVE-2016-0095, CVE-2016-0096
Important
Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege

Multiple Win32k elevation of privilege vulnerabilities exist when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

This security update is rated Important for all supported editions of Microsoft Windows.

MS16-035
CVE-2016-0132
Important
Security Update for .NET Framework to Address Security Feature Bypass

A security feature bypass vulnerability exists in a .NET Framework component that does not properly validate certain elements of a signed XML document. An attacker who successfully exploited the vulnerability could modify the contents of an XML file without invalidating the signature associated with the file. If a .NET application relies on the signature to be non-malicious, the behavior of the application could become unpredictable. In custom applications, the security impact depends on the specific usage scenario.

In a .NET application attack scenario, an attacker could modify the contents of an XML file without invalidating the signature associated with the file. The update addresses the vulnerability by correcting how the .NET Framework validates XML documents.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.