Bulletins Rated CriticalMicrosoft bulletins MS16-001 through MS16-0006 are rated as critical in this month's release.
MS16-001 and MS16-002 are this month's Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.
- MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
- MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited.
MS16-003 addresses CVE-2016-0002, a memory corruption flaw for JScript and VBScript. Note that this bulletins is geared toward users who use have IE7 installed or who do not have IE installed. Users and organizations who have IE 8 or later installed should install MS16-001 instead.
MS16-004 is this month's Office bulletin addressing vulnerabilities in Office 2007 through Office 2016. This month's bulletin fixes five vulnerabilities with two of them being memory corruption flaws (CVE-2016-0010, CVE-2016-0035) that manifest due to the improper handling of objects in memory. Another vulnerability addressed in this bulletin is an ASLR bypass vulnerability (CVE-2016-0012) that could allow an adversary to reliably predict the memory offsets of specific instructions. These three vulnerabilities could be exploited if the targeted user opens a specifically crafted document that exploits these flaws.
The final two vulnerabilities addressed in this bulletin are Sharepoint security features bypasses (CVE-2015-6117, CVE-2016-0011) that manifest as a failure in properly enforcing Access Control Policy (ACP) settings. Exploitation of these two flaws is achievable if an adversary were to add a script to a webpart on a Sharepoint site and then using that webpart in a cross-site scripting attack.
MS16-005 addresses two vulnerabilities in Windows Kernel Mode Drivers. CVE-2016-0008 is an ASLR bypass flaw that manifests in the graphics device interface while CVE-2016-0009 is an remote code execution vulnerability that manifests in Win32k.sys. Both vulnerabilities are due to improperly handling objects in memory. Exploitation of the ASLR bypass is possible if a user visits a specially crafted web page with IE, opens a specifically crafted email with Outlook, or navigates to a folder containing a specifically crafted file in File Explorer. Exploitation of the remote code execution vulnerability is achievable if a targeted user visits a malicious web page that is designed to exploit this vulnerability. Any arbitrary code that is run as a result of this exploit is executed within the context of the current user's privileges. Implementing proper access control could mitigate the impact of this vulnerability
MS16-006 addresses CVE-2016-0034, a remote code execution vulnerability in Silverlight. This vulnerability manifests as a result of decoding a string with a malicious decoder that can ultimately return incorrect offsets, allowing the overwrite of unsafe object headers in memory. Exploitation of this vulnerability is achievable through crafting a specifically written Silverlight application that could then be embedded on a web page. A user who visits this web page with the malicious Silverlight applet could then be compromised if running a vulnerable version of Silverlight. Silverlight versions prior to 5.1.41212.0 are identified as vulnerable.
Bulletins Rated ImportantMicrosoft bulletins MS16-007, MS16-008, and MS16-010 are rated as important in this month's release.
MS16-007 addresses six vulnerabilities in Windows Vista through Windows 10. Four of the vulnerabilities addressed are flaws that manifest due to improper validation of input before loading dynamic link library (DLL) files. As a result, privilege escalation (CVE-2016-0014, CVE-2016-0020) and remote code execution vulnerabilities (CVE-2016-0016, CVE-2016-0018) are present.
An arbitrary code execution vulnerability is also present in Microsoft DirectShow (CVE-2016-0015) due to incorrect validation of user input. Exploitation of this vulnerability is achievable if a targeted user opens a specifically crafted file designed to exploit this flaw.
The final vulnerability patched is a Remote Desktop Protocol security bypass in Windows 10 (CVE-2016-0019) that manifests when Windows fails to prevent remote logins to accounts without a password.
MS16-008 addresses two vulnerabilities in the Windows Kernel. Both vulnerabilities (CVE-2016-0006, CVE-2016-0007) are privilege escalation flaws that manifest when Windows incorrectly re-parses points set by a sandbox application. An authenticated attacker could exploit these vulnerabilities by running a specifically written application that is designed to exploit either of these two flaws.
MS16-010 addresses four vulnerabilities in Microsoft Exchange Server 2013 and 2016. All four vulnerabilities are Spoofing flaws that manifests when Outlook Web Access fails to properly handle web requests. As a result, an attacker who exploits these flaws could perform script or content injection attacks, attempt to fool the user into disclosing sensitive information, or redirect the user to a malicious website that could host other malicious content.
CoverageIn response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
Snort SIDs: 37257-37284