Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.

Bulletins Rated Critical

Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.

MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin respectively. In total, sixteen vulnerabilities were addressed with four vulnerabilities impacting both browsers. The vulnerabilities impacting both browsers include three critical memory corruption issues (CVE-2016-0060, CVE-2016-0061 and CVE-2016-0062) along with CVE-2016-0077 that addresses a critical spoofing vulnerability.

  • MS16-009 is the IE bulletin for IE versions 9 through 11. Three critical memory corruption issues specific to Internet Explorer are addressed (CVE-2016-0063, CVE-2016-0067 and CVE-2016-0072).
  • MS16-011 is the Edge bulletin. A critical memory corruption issues specific to Edge is addressed (CVE-2016-0084).  MS16-012 addresses two vulnerabilities in the Microsoft Windows PDF Library. CVE-2016-0058 is a buffer overflow vulnerability invoked when the PDF Library improperly handles application programming interface (API) calls. CVE-2016-0046 is a remote code execution vulnerability that can be exploited by convincing the user to open a specially crafted file in Windows Reader.

MS16-013 addresses a single vulnerability in Windows Journal. CVE-2016-0038 is a memory corruption issue. An attacker who tricks a user into opening a specially crafted journal file and successfully exploits this vulnerability can cause arbitrary code execution.

MS16-015 is this month’s Microsoft Office bulletin. CVE-2016-0052 and CVE-2016-0053 are critical while the other five vulnerabilities are rated important. Three vulnerabilities (CVE-2016-054, CVE-2016-0055 and CV-2016-2016-0056) involve memory corruption that can be exploited if a user opens a crafted file. Three other vulnerabilities (CVE-2016-0022, CVE-2016-0052 and CVE-2016- 0053) also involve memory corruption but they can be exploited by either opening a file or through the preview pane. CVE-2016-039 addresses an elevation of privilege vulnerability when SharePoint does not properly sanitize web requests. An authenticated attacker could exploit this vulnerability perform cross-site scripting attacks and running scripts on the server.

Bulletins Rated Important

Microsoft bulletins MS16-014 and MS16-016 through MS16-021 are rated as important in this month's release.

MS16-014 addresses five vulnerabilities in Microsoft Windows impacting all supported releases. CVE-2016-0040 addresses a privilege escalation issue. Three vulnerabilities involve issues related to loading dynamic link libraries. CVE-2016-0041 & CVE-2016-0042 address remote code execution vulnerabilities while CVE-2016-0044 addresses a denial of service issue. Finally, CVE-2016-0049 addresses a kerberos security feature bypass that would allow an attacker to bypass Kerberos authentication on a target machine and decrypt the drive protected by BitLocker.

MS16-016 addresses a single privilege escalation vulnerability (CVE-2016-0051) in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client.

MS16-017 addresses a single privilege escalation vulnerability (CVE-2016-0036) in the Remote Desktop Protocol (RDP). An authenticated attacker could then send crafted traffic to cause a crash condition that leads to elevated privileges.

MS16-018 addresses a single Windows Kernel Mode Driver privilege escalation vulnerability (CVE-2016-0048). An authenticated attacker could take control of an affected system by logging onto the system and running a specially crafted application.

MS16-019 addresses two vulnerabilities in Microsoft .NET Framework. CVE-2016-0033 is a stack overflow denial of service vulnerability that involves the attacker sending to the server a specially crafted XSLT (Extensible Stylesheet Language Transformation) that would cause the server to recursively compile the  XLST transformation. CVE-2016-0047 is an information disclosure vulnerability that allows an attacker to retrieve information using a specially crafted icon.

MS16-020 addresses a single vulnerability in Active Directory Federation Services (ADFS). CVE-2016-0037 is a denial of service vulnerability which manifests when ADFS fails to properly process certain input during forms-based authentication. An attacker who exploits this vulnerability could  cause the server to become unresponsive.

MS16-021 addresses a single vulnerability in the Microsoft Windows Network Policy Server (NPS) using RADIUS. CVE-2016-0050 is a denial of service flaw which manifests due to the improper handling of RADIUS authentication requests. An unauthenticated attacker who exploits this vulnerability could transmit specially crafted username strings to a Network Policy Server (NPS) and trigger a denial of service condition for RADIUS authentication on the NPS.


In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or

Snort SIDs: 37553-37617