Qualys Blog

www.qualys.com
wkandek

Update: Patch Tuesday May 2016

Update: Adobe released the patch for Adobe Flash that addresses the current 0-day CVE-2016-4117 in APSB16-15. It also patches another 24 vulnerabilities that are mostly rated critical. Patch as quickly as possible. Chrome and Internet Explorer 11/Edge users will get their patches from Google and Microsoft automatically.

Original: Today is the second Tuesday of the month, when both Microsoft and Adobe publish the security updates to their products – the so-called Patch Tuesday.

But before we get into the details of their updates for the month (17 in all) let’s reiterate the urgency of another vulnerability that might have slipped by you. The popular open source program ImageMagick is currently under active attack on the Internet. Vulnerability CVE-2016-3714 (called ImageTragick in the associated vulnerability branding campaign) allows for remote code execution (RCE) through image uploads. At the moment no patch is available, but a workaround has been published that neutralizes current attacks. We recommend the same thing the attackers are doing: scan your infrastructure for occurrences of ImageMagick and then apply the workaround in the policy.xml file. I did this immediately on my sites, even though I use ImageMagick only in commandline mode for thumbnail creation. BTW, the workaround has become more complete over the last 2 weeks, so it is worth taking another look even if you have applied it already…

Back to the Microsoft and Adobe updates, which both have updates for currently actively attacked vulnerabilities and supply total of 17 bulletins addressing over 100 software flaws.

On the top of our list is the update for Internet Explorer (MS16-051) that addresses a critical RCE-type vulnerability CVE-2016-0189 that is currently under attack. The vulnerability is in the JavaScript engine and in Vista and Windows 2008 the engine is packaged separately from the browser, so if you run these variants of Windows (only 2% still run on Vista) you need to install MS16-053.

Next we have APSA16-02, a 0-day advisory for Adobe Flash. While there is no a patch available yet, it is important to monitor the situation. Adobe is expecting to release a new version of Flash later this week. The vulnerability in question is tagged as CVE-2016-4117, and it is currently under attack in the wild.

We suggest that you deal with these three vulnerabilities first, before you address the other issues. In the remaining bulletins we you should focus on :

  • MS16-054 for Office which addresses two critical vulnerabilities in the RTF file format that can be triggered through the Outlook preview pane without your users actually clicking on the malicious file. I recommend using “File Block” to eliminate RTF from the file formats that you accept, that way you gain some additional robustness and time to address this problem completely.
  • MS16-052 for Microsoft Edge browser under Windows 10. It addresses four critical vulnerabilities only slightly less than the older Internet Explorer in MS16-051, but none are under direct attack.
  • MS16-055 a patch for the Windows graphical subsystem. Given that it is a GDI vulnerability attack vectors can both be web- and documented based. Affected versions of Windows are Vista to Windows 10.
  • MS16-057 for the Windows Shell. It fixes a critical vulnerability in the Windows core UI that could allow an attacker to gain RCE on the system
  • MS16-062 for the Windows Kernel drivers. All vulnerabilities here are local but they are of the type that attackers use to increase their privileges once they have managed to get on the system.
  • MS16-056 and MS16-059 for Windows Journal and Windows Media Center address file format vulnerabilities in these applications. If you run them take a look as vulnerabilities have been quite frequent and it is only a matter of time before attackers notice these new attack possibilities. Due to its similarity to MS15-134 (supported in Metasploit) I expect MS16-059 to be featured in exploit toolkits very soon.
  • MS16-058 for IIS. If you run IIS as a webserver, this one is worth looking at to see if attackers have the potential to get the required privileges for your system
  • APSB16-14 for Adobe Reader which is their bi-monthly update and addresses 92 separate CVEs.

That’s it for May, where the 0-days addressed and their potential breadth make this one of more intense Patch Tuesdays in a while. Make sure you continue to monitor what is going on. If you have not seen it yet, take a look at our new ThreatPROTECT module where we provide additional information on these types of vulnerabilities and help you to focus immediately on the affected machines.

Let me know how you are deploying these patches and whether ThreatPROTECT is helping you.

Leave a Reply