Bulletins Rated Critical
Bulletins MS16-037 through MS16-040 and bulletins MS16-042, MS16-050 are rated as critical in this month's release.
MS16-037 is related to six vulnerabilities in Internet Explorer. The most severe vulnerabilities allow an attacker to craft a website that executes arbitrary code on the victim's device due to the memory corruption vulnerabilities in the browser. The attacker would be limited to executing code with same administrative rights as the current user, but with many users having full administrator rights, an attacker could use this to take full control of a device. To exploit the vulnerability the attacker must get the victim to view attacker controlled content. Previously, this has not proved a major limitation for attackers. Attackers have proved adept at sending spam messages, compromising legitimate websites and abusing web advertising networks to redirect users to malicious websites.
MS16-038 addresses five additional remote code execution vulnerabilities in Microsoft's Edge browser, and one vulnerability common to IE and Edge, which is also described in MS16-037. The most severe of these vulnerabilities also allow attacker to execute arbitrary code on a victim's device due to memory corruption vulnerabilities. Attackers could craft a malicious website to exploit the vulnerabilities on victim's devices as previously described.
MS16-039 addresses three important escalation of privilege vulnerabilities in the Windows Kernel mode driver, and the critical vulnerability, CVE-2016-0145 in the Windows font library which allows remote code execution. Vulnerabilities in embedded fonts have previously been found and patched, notably the remote code vulnerability of July 2015 disclosed in the out of band update MS15-078, and the font vulnerabilities addressed in MS13-053 and MS13-054 from July 2013. Exploits in embedded fonts are a particularly useful vector for attackers since they can be included in both malicious websites and Microsoft Office documents.
Further remote code execution vulnerabilities are addressed by MS16-040 and MS16-042. XML Core Services is vulnerable to specially crafted XML code being used to execute arbitrary code, as addressed in MS16-040. Microsoft Office is vulnerable to four separate remote code execution vulnerabilities addressed in MS16-042. The only of these rated as critical rather than important is CVE-2016-0127 which is exploitable via the Preview Pane.
MS16-050 is Microsoft's response to Adobe's Security Bulletin APSB16-10, and address ten different vulnerabilities in the Adobe Flash Player on multiple versions of Windows 8.1, Windows Server 2012 and Windows 10. One of these vulnerabilities is currently being exploited by the Magnitude Exploit Kit. Helpfully, the bulletin contains instructions for disabling Flash Player by modifying the registry, and through applying a Group Policy. Administrators may wish to carefully consider the risks and benefits of using these techniques to remove Flash Player from devices for which they are responsible.
Bulletins Rated Important
Microsoft bulletins MS16-041 and bulletins MS16-044 through to MS16-049 are rated as important.
MS16-041 addresses CVE-2016-0148 within Microsoft's .NET framework. On some Microsoft operating systems this vulnerability can be used for remote code execution, but only if the attacker already has access to the local system. In some environments the vulnerability can be used to conduct a denial of service attack, other Microsoft operating systems are unaffected by this vulnerability.
MS16-044 addresses CVE-2016-0153, a remote code execution vulnerability within Microsoft OLE. Windows 10 is unaffected by this vulnerability.
MS16-045 addresses three vulnerabilities in Hyper-V. CVE-2016-0088 allows a user on a guest operating system to execute arbitrary code on the Hyper-V host. Two further vulnerabilities allow users on guest operating systems to read memory information from the Hyper-V operating system.
MS16-046 addresses a vulnerability within Windows 10 that permits an authenticated user to escalate their privileges and execute arbitrary code as an administrator. MS16-048 addresses a further escalation of privilege vulnerability in the management of process tokens in memory of the Client-Server Run-time Subsystem which allows an authenticated user to bypass security features and execute code as an administrator.
MS16-047 addresses a potential exploit where an attacker could launch a man-in-the-middle attack to downgrade the authentication of the RPC channel in order to impersonate an authenticated user. By exploiting this vulnerability in the Security Account Manager and Local Security Authority Domain Policy remote protocols the attacker could then access the Security Account Manager database.
MS16-049 addresses a denial of service attack in the HTTP 2.0 protocol stack (HTTP.sys) of Windows 10. An attacker could create a specially crafted HTTP 2.0 request that would lead vulnerable systems to become unresponsive.
In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
- Microsoft Related Ruled: 38458 - 38464, 38469 - 38470, 38473 - 38474, 38479 - 38484, 38489 - 38490, 38495 - 38496, 38503 - 38506
- Adobe Bulletin Related: 38401 - 38402, 38413 - 38416, 38425 - 38428