It is time for Patch Tuesday April 2016, and we have some insight into what is coming at us already. Last week Adobe had to anticipate their monthly Adobe Flash Player (APSB16-10) patch to help their users defend against a 0-day that was being exploited in the wild and a couple of weeks ago we heard of the “Badlock” vulnerability from the Samba development team – both Windows and Samba on Linux/Unix are affected.
But Badlock seems to be tamer than expected – it is addressed by Microsoft in MS16-047, a bulletin categorized as “important”. It is a Man-in-the-Middle type vulnerability and can be used to login as another user for applications that use the SAMR or LSAD protocol – the SMB protocol is not affected. All versions of Windows are affected – Vista to Server 2012R2. We are not sure where to rank it, but it certainly does not have our top spot.
Beyond MS16-047 Microsoft came out with another 11 bulletins bringing the total for the year to close to 50, but note MS16-043 is missing at this point in time. The release addresses 30 vulnerabilities total and has 0-days in the lineup. Bulletin MS16-039 contains fixes for a graphics component with Windows and applies to all version starting with Vista to Windows 10 and Server 2008 to 2102R2. It also affects older Office versions 2007 and 2010, plus .NET, Skype and Lync. The two 0-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator. In real life they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw from APSB16-10 that Microsoft addresses in MS16-050. In that type of scenario, your user would go to a normal website and get attacked with a Flash exploit that then escalates with the CVE-2016-0165/7 vulnerabilities from MS16-039. To defend against such attacks, patch as quickly as possible: both MS16-050 for Flash (APSB16-10 if you run Firefox) and MS16-039 are on the top of our priority list today.
Next on our list is MS16-042, which addresses four flaws in Microsoft Office. Microsoft rates this bulletin as critical which is only happens when the vulnerability can be attacked directly without user interaction. Indeed, CVE-2016-0127 is a Remote Code Execution (RCE) vulnerability in the RTF file format, which is visualized automatically in the Outlook preview pane and can give the attacker RCE with a simple e-mail. If can afford it, harden your setup by outlawing RTF e-mails. You can turn them off with the Office File Block Policy, which works across 2007/2010 and 2013.
Microsoft Internet Explorer and Edge are patched in critical bulletins MS16-037 and MS16-038 respectively. Both have six vulnerabilities (this is a first that Edge has the same number as IE) and Edge actually has more serious problems than IE (also a first). None of the vulnerabilities are under attack currently, but since most exploits target the browser it makes sense to keep them as updated as possible. Do not forget that Microsoft only patches the newest browser for each operating system: that means IE11 for For Windows 7 upwards, IE9 for Vista, and IE10 for Windows server 2012.
The last critical vulnerability is in the XML Core subsystem. We have not seen patches in that area for a good year. MS16-040 brings a new version of msxml.dll to address a single vulnerability CVE-2016-0147. The attack vector is through a website that serves the malicious XML format to the target machine.
The remaining vulnerabilities are ranked as non-critical, but can be very quite impacting and interesting as well. Hyper-V for example is patched in MS16-045 for a guest to host escalation that could very well be critical in a hosting environment where the attacker by design has access to the systems. Affected systems are Windows 8.1, Server 2012 and 2012 R2. MS16-041 addresses a single vulnerability in .NET and MS16-049 a DoS vulnerability in Windows 10 systems in the HTTP.sys driver.
Adobe patched Flash last week out-of-band in APSB16-10, but today it released updates for Robohelp in APS16-12 and Creative Cloud Desktop in APSB16-11.
That’s it for April, a number of 0-days and immediately exploitable vulnerabilities make this month considerably more critical than last month. Expect the Adobe Flash vulnerability to spread and implement workarounds for the currently deployed mitigations.
Let me know how you are deploying these patches. I am especially interested in your SLA and timing data.