Microsoft Patch Tuesday, May 2016

May's Patch Tuesday is here and brings with it 16 Bulletins with 51 unique CVEs. The bulletins are neatly split right down the center with eight of them rated Critical and eight rated Important. Internet Explorer and Edge are back for their monthly showing but with only five vulnerabilities in IE and four in Edge (eight unique vulnerabilities all together) this is the lightest month for those products in well over a year. Hopefully this is a sign for the future months to come.

A full third of the vulnerabilities in May's release are patched in Adobe Flash. Since Flash is embedded in Microsoft's IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle last month. These vulnerabilities in Flash are rated Critical and it's surely just a matter of time before they get imported into popular Exploit Kits. The final Critical bulletins are being patched in MS Office, various Windows components like Microsoft Graphics Component and one rather troubling critical RCE in Windows Shell.

One bulletin to look out for is MS16-065, an update for .NET Framework. Despite the rating as "Important" this vulnerability permits a man in the middle attack on SSL/TLS traffic that can allow for full decryption of an existing session.

MS16-051
CVE-2016-0187, CVE-2016-0188, CVE-2016-0189, CVE-2016-0192, CVE-2016-0194
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS16-052
CVE-2016-0186, CVE-2016-0191, CVE-2016-0192, CVE-2016-0193
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS16-053
CVE-2016-0187, CVE-2016-0189
Critical
Security Update for JScript and VBScript

This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for affected versions of the JScript and VBScript scripting engines on supported releases of Windows Vista, and Moderate on Windows Server 2008 and Windows Server 2008 R2.

MS16-054
CVE-2016-0126, CVE-2016-0140, CVE-2016-0183, CVE-2016-0198
Critical
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-055
CVE-2016-0168, CVE-2016-0169, CVE-2016-0170, CVE-2016-0184, CVE-2016-0195
Critical
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported releases of Microsoft Windows.

MS16-056
CVE-2016-0182
Critical
Security Update for Windows Journal

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, and Windows 10.

MS16-057
CVE-2016-0179
Critical
Security Update for Windows Shell

This security update resolves a vulnerability in Microsoft Windows. A remote code execution vulnerability exists when Windows Shell improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or Instant Messenger message that takes them to the attacker's site. The security update fixes this vulnerability by correcting how Windows Shell handles objects in memory.

This security update is rated Critical for all supported releases of Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10

MS16-058
CVE-2016-0152
Important
Security Update for Windows IIS

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

This security update is rated Important for all supported releases of Windows Vista and Windows Server 2008.

MS16-059
CVE-2016-0185
Important
Security Update for Windows Media Center

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Important for all supported editions of Windows Media Center when installed on Windows Vista, Windows 7, or Windows 8.1.

MS16-060
CVE-2016-0180
Important
Security Update for Windows Kernel

An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-061
CVE-2016-0178
Important
Security Update for Microsoft RPC

An elevation of privilege vulnerability exists in the way that Microsoft Windows handles specially crafted Remote Procedure Call (RPC) requests. A privilege elevation can occur when the RPC Network Data Representation (NDR) Engine improperly frees memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An unauthenticated attacker could exploit the vulnerability by making malformed RPC requests to an affected host. The update addresses this vulnerability by modifying the way that Microsoft Windows handles RPC messages.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-062
CVE-2016-0171, CVE-2016-0173, CVE-2016-0174, CVE-2016-0175, CVE-2016-0176, CVE-2016-0196, CVE-2016-0197
Important
Security Update for Windows Kernel-Mode Drivers

This security update resolves multiple vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

This security update is rated Important for all supported releases of Windows.

MS16-064
CVE-2016-1096, CVE-2016-1097, CVE-2016-1098, CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102, CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106, CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110, CVE-2016-4108, CVE-2016-4116
Critical
Security Update for Adobe Flash Player

This security update resolves multiple vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

MS16-065
CVE-2016-0149
Important
Security Update for .NET Framework

This security update resolves a vulnerability in Microsoft .NET Framework. An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic.

To exploit the vulnerability, an attacker would first have to inject unencrypted data in the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets. Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

MS16-066
CVE-2016-0181
Important
Security Update for Virtual Secure Mode

This security update resolves a vulnerability in Microsoft Windows. A security feature bypass vulnerability exists when Windows incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with Hypervisor Code Integrity (HVCI) enabled.

To exploit this vulnerability, an attacker could run a specially crafted application to bypass code integrity protections in Windows. The security update update addresses the vulnerability by correcting the security feature's behavior to preclude incorrect marking of RWX pages under HVCI.

This security update is rated Important for all supported editions of Microsoft Windows 10.

MS16-067
CVE-2016-0190
Important
Security Update for USB Driver

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user. An attacker who successfully exploited this vulnerability could obtain access to file and directory information on the mounting user's USB disk. This update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.

This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT 8.1.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.