For April 2016 Patch Tuesday, Microsoft released 13 security bulletins, with six being rated as critical for remote code execution flaws and the patch for Badlock being among those rated only as important.
Critical
MS16-037 is the cumulative fix for Internet Explorer. While most of the vulnerabilities being patched have not been publicly disclosed, the DLL loading RCE bug has been.
MS16-038 is the monthly cumulative security update for Microsoft’s Edge browser to stop attackers from achieving RCE when a user visits a specially crafted webpage via Edge. The patch modifies how Edge handles objects in memory, as well as ensures cross-domain policies are properly enforced.
MS16-039 patches vulnerabilities in Windows, Microsoft .NET framework, Microsoft Office, Skype for Business and Microsoft Lync. It is rated critical for all supported versions of Windows and corrects how the Windows font library handles embedded fonts. An attacker could trick or otherwise convince a user to visit a page or open a document with embedded fonts to exploit the graphics component hole.
Qualys CTO Wolfgang Kandek explained, “The two zero-days are contained with the Windows portion, and both allow for the escalation of privilege from a normal user to administrator. In real life, they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw from APSB16-10 that Microsoft addresses in MS16-050. In that type of scenario, your user would go to a normal website and get attacked with a Flash exploit that then escalates with the CVE-2016-0165/7 vulnerabilities from MS16-039. To defend against such attacks, patch as quickly as possible: both MS16-050 for Flash (APSB16-10 if you run Firefox) and MS16-039 are on the top of our priority list today.”
MS16-040 deals with Microsoft XML core services and resolves a hole in Windows that an attacker could exploit by convincing a user to visit a maliciously crafted link that gives the attacker the ability to run code remotely to take control of a user’s system.
MS16-042 fixes four vulnerabilities in Office; the most severe could allow RCE if an attacker got a user to open a maliciously crafted Office file. Kandek added that CVE-2016-0127 is a RCE flaw “in the RTF file format, which is visualized automatically in the Outlook preview pane and can give the attacker RCE with a simple e-mail.” In other words, patch ASAP.
MS16-050 is the security update to close holes in Adobe Flash Player.
Important
MS16-041 fixes a security problem in Microsoft’s .NET Framework, and the vulnerability has been publicly disclosed.
MS16-044 resolves a flaw in Windows that could allow RCE if Windows OLE failed to properly validate user input.
MS16-045 addresses vulnerabilities in Hyper-V by changing how Hyper-V validates guest operating system user input. The most severe flaw could allow RCE “if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code.” This patch applies only to people who have enabled Hyper-V.
MS16-046 patches an elevation of privilege vulnerability in Windows by fixing how Windows Secondary Logon Service handles requests in memory. The bug has been publicly disclosed, although Microsoft noted that it is not currently being exploited.
MS16-047 is the fix for the Badlock bug and is rated only as “important.” Microsoft said it resolves an EoP vulnerability in Windows Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols. “An attacker who successfully exploited this vulnerability could gain access to the SAM database. To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.”
“As it turns out, Badlock was not directly part of an exploit in Server Message Block (SMB) as original anticipated, but rather part of Microsoft authentication framework, SAM and LSAD,” said Michael Gray, vice president of technology at Thrive Networks. “These authentication protocols are part of SMB, so this does still pertain to concerns regarding Windows file servers.”
Gray predicted, “There’s a good chance that Badlock will be used as a downstream vector. For instance, an attacker can own a workstation via public Wi-Fi and then wait until that device is in a corporate environment. Once it detects a file server, it could inject payload into the server via Badlock or simply use it to download corporate data. It’s likely that Badlock could circumvent antivirus until all vendors have caught up, assuming, of course, that a company’s antivirus is up to date and functional.”
MS16-048 patches a CSRSS security feature bypass bug in Windows and is rated important for all supported versions of Windows 8.1, Windows Server 2012 and 2012 R2, Windows RT 8.1 and Windows 10.
MS16-049 is the fix for HTTP.sys, as an attacker could launch denial of service by sending a specially crafted HTTP packet to a target system to cause it to become nonresponsive. The DoS vulnerability fix modifies how the Windows HTTP protocol stack handles HTTP 2.0 requests.
You might have noticed that Microsoft skipped MS16-043 for now.
That’s all for April, so happy patching!