Microsoft’s May 2016 patches fix a boatload of vulnerabilities, including a zero-day

Hello, zero-days. And yes, you should be busy patching them, but Adobe isn’t releasing one of the zero-day fixes for Flash Player until tomorrow (May 12)—even though it is currently being used in real-world attacks.

Microsoft released 16 security bulletins, eight of which are rated critical for remote code execution (RCE) and includes a fix for zero-day.

Put another way by Bobby Kuzma, CISSP, systems engineer at Core Security: “Another fun and delightful Patch Tuesday, with a number of vulnerabilities with exploits in the wild!”

8 patches rated critical

MS16-051, the cumulative monthly security patch for Internet Explorer, fixes a boatload of remote code execution vulnerabilities, including a zero-day that was exploited for targeted attacks on South Korean websites. Symantec, which reported on the IE zero-day, said users should implement the patch ASAP. It’s only a matter of time before cyber thugs start exploiting it elsewhere.

MS16-053 is the big fix for JScript and VBScript. Qualys CTO Wolfgang Kandek explained that “MS16-051 addresses a critical RCE-type vulnerability CVE-2016-0189 that is currently under attack. The vulnerability is in the JavaScript engine and in Vista and Windows 2008 the engine is packaged separately from the browser, so if you run these variants of Windows (only 2 percent still run on Vista) you need to install MS16-053.”

As it did for MS16-051, Microsoft also noted for MS16-053, “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

MS16-052 is the monthly security fix for Microsoft’s Edge browser to resolve several RCE vulnerabilities.

Got Office? Then get MS16-054. Michael Gray, vice president of technology at Thrive Networks, said, “This Office patch allows arbitrary code execution and is critical. It affects all versions (2007-2016) of Office, but the interesting note is that it also impacts the new Office for Mac version. Office for Mac used to be a mangled version of everyone’s favorite suite, but with the growth of Office365, Office for Mac has had much more adoption. With that adoption, businesses will need to ensure that the Mac Office receives all updates as well.”

MS16-055 includes numerous fixes for Microsoft Graphic Component, including a flaw that could allow RCE. Microsoft advises people not to configure accounts with administrative user rights unless absolutely necessary, as accounts “configured to have fewer rights on the system could be less impacted.” The same warning was issued for MS16-052, MS16-054, MS16-056, MS16-057, MS16-058 and MS16-059.

MS16-056 patches an RCE vulnerability in Windows Journal.

MS16-057 is a security update for Windows Shell. Kuzma said, “MS16-057 piques my interest. It’s a memory handling vulnerability impacting the Windows Shell, which we haven’t seen for a while. It looks like it was introduced in Windows 8, which is a relief, as XP is no longer receiving updates and Vista is fast approaching obsolescence.”

As has become a monthly practice, Microsoft has a security update for Adobe Flash Player. Chris Goettl, product manager at Shavlik, said MS16-064 is a bulletin to update “Adobe Flash Player plug-in support for Windows and Internet Explorer;” it includes “details of APSB16-15, including 24 CVEs that will be included in the update.” Goettl asked, “So, the question is, why did Adobe not release the update? Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?”

8 patches rated important

Although MS16-058 for IIS is only rated as important, Kuzma said it “is concerning, despite only impacting Vista and Server 2008 IIS installations. It allows remote code execution in the context of the IIS user, which may be problematic in certain application scenarios where least privilege is not observed.”

MS16-059 is another “important-rated” patch, this time for Windows Media Center, even though an attacker could gain RCE on a system.

MS16-060 is a fix for an elevation of privilege vulnerability in Windows Kernel that exists “when the Windows kernel fails to properly handle parsing of certain symbolic links.”

MS16-061 also closes an elevation of privilege (EoP) hole in Windows and is rated as important for all supported versions of the operating system. Microsoft wrote, “The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.”

MS16-062 patches numerous EoP and information disclosure holes in Windows Kernel-mode drivers.

MS16-065 closes a hole in Microsoft .NET Framework that “could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle attack between the targeted client and a legitimate server.”

Put another way by Shavlik’s Goettl:

It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server. On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind Microsoft recommends thorough testing before rolling out to production environments.

MS16-066 is for Windows Virtual Secure Mode and addresses a security feature bypass vulnerability.

MS16-067 is a security update for an information disclosure flaw in Volume Manager Driver. Microsoft noted, “The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.”

Much like MS16-043 was skipped in April, Microsoft skipped MS16-063 in May.

Adobe is supposed to issue the fix for the newest zero-day tomorrow, but it did release security updates for Adobe Acrobat and Reader, as well security hotfixes for ColdFusion.

As Kandek wrote, “That’s it for May, where the zerp-days addressed and their potential breadth make this one of more intense Patch Tuesdays in a while.”

Happy patching!