This post is authored by Holger Unterbrink.
Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 16 bulletins addressing 33 vulnerabilities. Eight bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, and Windows Shell. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, IIS, Media Center, Hyper-V, .NET, and several other Windows components.
Bulletins Rated Critical
Vulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in this month's release.
MS16-051and MS16-052 are this month's Internet Explorer and Edge security bulletins respectively. One vulnerability is shared between IE and Edge, meaning that both Edge and IE are affected. The IE security bulletin addresses three memory corruption vulnerabilities marked as critical, one information disclosure vulnerability and one security feature bypass marked as important. The Edge one has four memory corruption vulnerabilities all marked as critical. For both Edge and IE, some vulnerabilities are potential remote code execution vulnerabilities. For Internet Explorer these critical vulnerabilities are: CVE-2016-0187, CVE-2016-0189 and CVE-2016-0192. For Microsoft Edge: CVE-2016-0186 , CVE-2016-0191 to 0193. IE CVEs flagged as important are CVE-2016-0188 and CVE-2016-0194.
MS16-053 resolves two critical vulnerabilities (CVE-2016-0187 and CVE-2016-0189) in the VBScript engine (for systems running IE7 or not running IE). Multiple remote code execution vulnerabilities exist due to the way that the engine handles objects in memory. An attacker could build a malicious website that, if a user navigates to, could exploit the vulnerability and achieve code execution in the context of the current user. Another possible attack vector would be Microsoft Office documents with an embedded malicious ActiveX control. Microsoft does suggest two workarounds for situations where the security update can not be applied. For more information, please refer to the Microsoft security bulletin.
MS16-054 addresses four vulnerabilities in multiple versions of Microsoft Office. Three memory corruption vulnerabilities and one remote code execution vulnerability were addressed in Microsoft Office. An attacker successfully exploiting the memory corruption vulnerabilities could run arbitrary code in the context of the current user. The remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. This update also includes additional security-related changes. For more information, please refer to the security bulletin. The vulnerability details can be found in CVE-2016-0126, CVE-2016-0140, CVE-2016-0183 and CVE-2016-0198. CVE-2016-0183 and CVE-2016-0198 are marked as critical, the others are tagged as important.
MS16-055 is related to vulnerabilities found in the Graphics Components of Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. The bulletin includes three remote code execution (RCE) vulnerabilities marked as critical. The RCE vulnerabilities are described in CVE-2016-0170, CVE-2016-0184 and CVE-2016-0195. CVE-2016-0184 is a use-after-free bug in the Direct3D component and is particularly importantsince it is already being exploited in the wild. The bulletin also includes two as important classified information disclosure vulnerabilities, described in CVE-2016-0168 and CVE-2016-0169.
MS16-056 addresses a critical memory corruption remote code execution vulnerability (CVE-2016-0182) in the Windows Journal file parser. An attacker who creates a specially crafted Journal file to exploit this vulnerability could cause arbitrary code to execute in the context of the current user. Microsoft provides workarounds in case the security update can not be applied. For more information, please refer to the security bulletin.
MS16-057 addresses a remote code execution vulnerability (CVE-2016-0179) in the Microsoft Windows Shell. An attacker who successfully exploits this vulnerability could execute arbitrary code and take control of the affected system. This vulnerability could be leverage by attackers who build a malicious website to compromise users. Multiple Windows operating systems are affected by this vulnerability, including Windows 8.1 and Windows 10, and affect both 32-bit and 64-bit architectures.
MS16-064 is the Adobe Flash Player security bulletin for Windows and is designed to address security defects in Flash Player. Additional details covering the vulnerabilities addressed can be found in the Adobe security bulletin,APSB16-15, posted on the Adobe Product Security portal.
Bulletins Rated Important
Microsoft bulletins MS16-051, MS16-054 and MS16-058 through MS16-063 are rated as important in this month's release.
MS16-058 addresses CVE-2016-0152, a remote code execution vulnerability in Microsoft Internet Information Server (IIS). To exploit the vulnerability, an attacker must first gain access to the local system and has the ability to execute a malicious application. The vulnerability exists in how Windows validates input when loading certain libraries.
MS16-059 addresses CVE-2016-0185, a remote code execution vulnerability in Microsoft Media Center. A vulnerability exists in Windows Media Center that could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.
MS16-060 and MS16-062 address several elevation-of-privilege vulnerabilities in the Windows Kernel and its drivers. The related CVE for details are CVE-2016-0180, CVE-2016-0171, CVE-2016-0173, CVE-2016-0174 and CVE-2016-0176, CVE-2016-0196, and CVE-2016-0197. In case of the more severe ones, an attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. MS16-062 also includes CVE-2016-0175 which is an information disclosure leak. This allows an attacker to retrieve sensitive information which could be potentially used by him or her to bypass security features like the Kernel Address Space Layout Randomization (KASLR) feature. MS16-060 and MS16-062 affect most windows operating systems up to Windows 10 x64.
MS16-061 handles a RPC Network Data Representation Engine elevation-of-privilege vulnerability. The vulnerability exists in the way that Microsoft Windows handles specially crafted Remote Procedure Call (RPC) requests. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. The corresponding CVE is CVE-2016-0178. MS16-061 affects most windows operating systems up to Windows 10 x64.
MS16-065 is also an information disclosure vulnerability (CVE-2016-0149), but in Microsoft's .NET Framework. The information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploits this vulnerability could decrypt encrypted SSL/TLS traffic.
MS16-066 describes a security feature bypass vulnerability (CVE-2016-0181) in the Virtual Secure Mode in Microsoft's hypervisor code integrity security feature which is part of MS Windows Device Guard technology. The vulnerability occurs when Windows incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with Hypervisor Code Integrity (HVCI) enabled. This feature should make sure that kernel memory pages can never be Writable and Executable (W+X) at the same time.
MS16-067 addresses an information disclosure vulnerability (CVE-2016-0190) in Microsoft's Remote Desktop Protocol Drive Redirection technology. The vulnerability occurs when a USB disk is mounted over the Remote Desktop Protocol (RDP) via Microsoft RemoteFX and is not correctly tied to the session of the mounting user. An attacker who successfully exploited this vulnerability could obtain access to file and directory information on the mounting user's USB disk.
Coverage
In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules:
- Rules for Microsoft Bulletins: 38759-38766, 38768-38783, 38785-38788, 38797-38798, 38801-38806, 38808-38817, 38828-38829, 38839-38842
- Adobe Bulletin Related:
38792,38793, 38824-38827, 38830-38833, 38835-38838, 38847-38848