Microsoft released 13 security bulletins, 5 rated critical but 8 patching RCE bugs

For March 2016 Patch Tuesday, Microsoft released 13 security bulletins and rated five of those as critical.

Critical patches for RCE flaws

MS16-023 is the cumulative patch for IE to stop remote code execution flaws and correct 13 memory corruption vulnerabilities that have not been publicly disclosed.

MS16-024 is the monthly fix for Microsoft Edge; it patches 10 memory corruption flaws that could lead to remote code execution and one information disclosure bug – none of which have been publicly disclosed.

MS16-026 resolves two OpenType Font Parsing vulnerabilities that could allow remote code execution if not deployed.

MS16-027 addresses two Windows Media Parsing RCE bugs. Qualys CTO Wolfgang Kandek ranks this one in importance to patch after MS16-029 – the Microsoft-rated “important” fix for Office.

MS16-028 fixes two holes in Windows PDF Library that could lead to RCE if a user opens a maliciously crafted PDF file.

Important for RCE

MS16-025, as you might have noticed, is out of numerical order. It’s stuck in the middle of other critical updates and is also to patch a remote code execution flaw, but Microsoft in all its wisdom rates it only as important. If left unpatched, an attacker could exploit the way “Windows fails to properly validate input before loading certain libraries.”

MS16-029 may only be rated as important but it addresses multiple problems, including RCE, in Microsoft Office. There are two Office memory corruption vulnerabilities and one security feature bypass bug; the fixes correct how Office handles objects in memory and provides a validly signed library. If you have Office, disregard the lower ranking of important and jump on this one.

MS16-030 follows the trend above as rating RCE vulnerabilities as “important.” There are two Windows OLE memory RCE flaws listed that an attacker could exploit if Windows OLE fails to properly validate user input. User input, enough said, meaning unless you have 100% faith in end users then get this one done.

Important for EoP

MS16-031 finally steps out of the RCE vulnerability box by being the fix for elevation of privilege as “Windows fails to properly sanitize handles in memory.”

MS16-032 resolves a vulnerability in Windows that could allow EoP “if the Windows Secondary Logon Service fails to properly manage request handles in memory.”

MS16-033 addresses a hole in Windows that an attacker could exploit for EoP if the attacker had physical access to the machine and inserted a maliciously crafted USB. Microsoft said, “This security update resolves an elevation of privilege vulnerability in Microsoft Windows when the Windows USB Mass Storage Class driver fails to properly validate objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.”

MS16-034 is the security fix for Windows kernel-mode drivers; there are four Win32k EoP vulnerabilities.

Important for security feature bypass

MS16-035 addresses a security feature bypass bug in .NET Framework as a component “does not properly validate certain elements of a signed XML document.” Microsoft explained, “An attacker who successfully exploited the vulnerability could modify the contents of an XML file without invalidating the signature associated with the file. If a .NET application relies on the signature to be non-malicious, the behavior of the application could become unpredictable.”

As always, happy patching!