March Patch Tuesday 2016 comes right after a busy week at the RSA USA 2016 conference, where we discussed security and privacy with our industry peers and customers. We participated in numerous discussions around encryption and its function in the protection of privacy and its impact on law enforcement. On Thursday we talked with Chairman McCaul of the committee for Homeland Security about these issues. He said that US Congress is aware of the problems and is working on legislation that would balance both privacy and access to data. On Tuesday we had a Q&A session with Rami Malek, who plays the cyber vigilante Elliot Alderson on the USA Network show Mr. Robot. Rami gave us insight on the amount of work that goes into the writing, acting and production to assure that the computer scenes are as realistic as possible. The huge turnout at this session confirmed how successful the producers have been with this strategy.
But back to the our original subject: Patch Tuesday 2016. Microsoft is releasing 13 bulletins, five of them considered critical.
This month the top spot in our ranking belongs to MS16-023 for Internet Explorer. It addresses 13 vulnerabilities, all of them rated critical. Exploitation of these critical vulnerabilities yields the most dangerous result: Remote Code Execution (RCE) which gives the attacker complete control over the target’s machine. These attacks against Internet Explorer would come from malicious websites, which were either setup specifically for that purpose or using otherwise harmless sites as carriers that have the exploits embedded and infect their habitual visitors.
If you are on Windows 10 and have opted for the Edge browser, MS16-024 occupies the top rank. 11 vulnerabilities total, 10 critical show that security researchers have been focusing their attention on Edge, which has slowly lost ground on Internet Explorer in terms of vulnerabilities: in December 2015 we were still 30 to 15 versus now in March at 13 to 11.
Next on our list is MS16-029 which contains a new version of Microsoft Word. Word is frequently used to carry exploits, both in online documents as well as e-mail attachments. The vulnerabilities allow the attacker to get RCE on the target machines and should be addressed as quickly as possible.
The next group of vulnerabilities to fix are in MS16-027 in WIndows Media Player, MS16-026 in the OpenType fonts and MS16-028 in the new PDF Reader for Windows 8 and up. All of them are critical and can give an attacker RCE. They all attack complex formatting issues in the Windows Media Player in the MPEG video format, in the OpenType fonts with a circular reference abusing recursion and in the PDF reader missing boundary check in the PostScript interpreter. The continuous stream of vulnerabilities in these areas indicates just how complex the media formats are that we dealing with everyday.
The remaining bulletins all address vulnerabilities that are rated as “important”. They come mostly into play when as escalation of privilege is required, so after one of the critical vulnerabilities was used to get into the target. You should address these vulnerabilities with the next 45 days to avoid this type of secondary use.
By the way, Microsoft was not alone in addressing PDF security issues, Adobe is also releasing a new version of Adobe Reader in APSB16-09, which fixes three critical security holes. If you use Adobe Reader or Acrobat this should be high on your list. If you are keeping track on these things APSB16-08 (APS16-07 was for Adobe Connect last month) is missing in their lineup, we think it is a Flash update that is delayed for further testing or a last minute inclusion of a current vulnerability.
Apple has a first this month. The popular bit torrent client “Transmission” was trojaned with a Ransomware version. Fortunately it was only available for download for less than 12 hours and Apple quickly revoked its signing certificate and updated the signatures in xprotect. Nevertheless check for Transmission 2.90 in your network and isolate it if found.
That’s it for March, no 0-days or immediately exploitable vulnerabilities this month but apply these patches as quickly as possible anyway. We have seen attackers convert vulnerabilities into exploits quickly, often needing less than 10 days.
Check back often here as we will keep this post updated with new developments as they happen – particularly on Adobe Flash.