Update: Kaspersky who is credited with finding MS16-006,the critical Silverlight vulnerability just published their story on how the bug was found. Very interesting, has to do with the Hacking Team breach and coding "standards" – take a look at their blog post for more info. They also made clear that this vulnerability is under attack in the wild and that we are looking at a true 0-day here. This changes our priorities – we now put MS16-006 at the top of our list. Take a look at your installations, see if you have Silverlight installed and address the flaw as soon as possible.
Original: The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins. In addition some rather important products are going End-of-Life and get their last patch update today. Microsoft is retiring support for all older browsers on each platform and will from here on only maintain the newest browser on each version of the OS.
- Internet Explorer 11 on Windows 7, 2008R2, 8.1, 2012R2, RT and Windows 10
- IE8, 9 and 10 get their last update today in MS16-001 and are then retired
- Internet Explorer 10 on Server 2012
- Internet Explorer 9 on Vista SP2 and Server 2008
- IE7 and IE8 are retired
In essence IE7 and IE8 are losing all support whereas IE9 and IE10 are only maintained on some specific legacy platforms. This will make IE maintenance easier for Microsoft, but will create more migration work for IT managers that have to update their browser installations to the latest level. Mid-term this will create a better and more robust platform, but in the short term we are looking at some additional security exposures as legacy browsers will lose their updates. Microsoft provides more information on their support page: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer
But back to today’s patches. MS16-005 is our top pick, at least if you run Vista, Windows 7 or Server 2008. On these systems CVE-2016-0009 results in Remote Code Execution (RCE), plus the vulnerability has been publicly disclosed. On newer operating system, Windows 8 and Windows 10 the flaw is either not applicable or just rated important.
Our second priority is MS16-004. It addresses six vulnerabilities in Microsoft Office, all capable of giving the attacker Remote Code Execution (RCE) capabilities. Microsoft rates the bulletin as “critical” which is unusual for an Office bulletin. CVE-2016-0010 is the vulnerability that is rated critical and it is present in all versions of Office from 2007 to 2016, even on the Mac and RT.
Internet Explorer (MS16-001) and Microsoft Edge (MS16-002) come next. Both are rated critical giving the attacker the chance to control the targeted machine by exploiting the browser through a malicious webpage. Both address only two vulnerabilities, which is quite unusual, at least in the Internet Explorer case where we have become accustomed to over 20 vulnerabilities addressed in the past.
MS16-006 the remaining critical bulletin is for Silverlight and addresses one vulnerability.
MS16-010 is a server side vulnerability in Microsoft Exchange. It addresses four vulnerabilities in Exchange OWA module, which could lead to Information Leakage and Script execution through the visualization of an e-mail.
MS16-009 was skipped by Microsoft. Apparently this bulletin has been delayed due to further testing.
Adobe & Oracle
Adobe also releases its updates on Patch Tuesday, and it is releasing APSB16-02 for Adobe Reader today. The update addresses critical vulnerabilities, but rates it all as “2” on the exploitability scale – i.e. patch within the next 30 days. Their most attacked piece of software, the Flash player, does not get an update today. Or rather its January 2016 update was released early in late December 2015. Take a look at APSB16-01 urgently if you haven’t yet – one of the vulnerabilities is under attack in the wild which prompted Adobe to release this version out of band.
Oracle is scheduled to release their quarterly update this month, next week Tuesday 19th – stay tuned for a new version of Java, MySQL and their enterprise database.