The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.

Bulletins Rated Critical Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month's release.

MS16-001 and MS16-002 are this month's Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addressed and unlike in previous bulletins there are no vulnerabilities that IE and Edge have in common.

  • MS16-001 is the IE bulletin for IE versions 7 through 11. Two vulnerabilities are addressed with those being CVE-2016-0002, a use-after-free flaw and CVE-2016-0005, a privilege escalation flaw. Note that CVE-2016-0002 is a VBScript engine vulnerability that is addressed in this bulletin for systems with IE 8 through 11 installed. Those who use IE7 and earlier or who do not have IE install will need to install MS16-003 to patch this vulnerability.
  • MS16-002 is the Edge bulletin addressing two vulnerabilities as well. Both CVE-2016-0003 and CVE-2016-0024 are memory corruption vulnerabilities that could result remote code execution if exploited. One special note regarding this month's IE advisory: In August 2014, Microsoft announced the end-of-life for Internet Explorer versions older than IE 11 that would take effect today. As a result, this month's bulletin will be the final one for affected versions. After today, "only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates." As such, there are exceptions to the end-of-life announcement with those being Windows Vista SP2 (IE9), Windows Server 2008 SP2 (IE9), and Windows Server 2012(IE 10). For more information on the IE end-of-life, please refer to Microsoft's documentation here:
    https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support


MS16-003 addresses CVE-2016-0002, a memory corruption flaw for JScript and VBScript. Note that this bulletins is geared toward users who use have IE7 installed or who do not have IE installed. Users and organizations who have IE 8 or later installed should install MS16-001 instead.

MS16-004 is this month's Office bulletin addressing vulnerabilities in Office 2007 through Office 2016. This month's bulletin fixes five vulnerabilities with two of them being memory corruption flaws (CVE-2016-0010, CVE-2016-0035) that manifest due to the improper handling of objects in memory.  Another vulnerability addressed in this bulletin is an ASLR bypass vulnerability (CVE-2016-0012) that could allow an adversary to reliably predict the memory offsets of specific instructions. These three vulnerabilities could be exploited if the targeted user opens a specifically crafted document that exploits these flaws.

The final two vulnerabilities addressed in this bulletin are Sharepoint security features bypasses (CVE-2015-6117, CVE-2016-0011) that manifest as a failure in properly enforcing Access Control Policy (ACP) settings. Exploitation of these two flaws is achievable if an adversary were to add a script to a webpart on a Sharepoint site and then using that webpart in a cross-site scripting attack.

MS16-005 addresses two vulnerabilities in Windows Kernel Mode Drivers. CVE-2016-0008 is an ASLR bypass flaw that manifests in the graphics device interface while CVE-2016-0009 is an remote code execution vulnerability that manifests in Win32k.sys. Both vulnerabilities are due to improperly handling objects in memory. Exploitation of the ASLR bypass is possible if a user visits a specially crafted web page with IE, opens a specifically crafted email with Outlook, or navigates to a folder containing a specifically crafted file in File Explorer. Exploitation of the remote code execution vulnerability is achievable if a targeted user visits a malicious web page that is designed to exploit this vulnerability. Any arbitrary code that is run as a result of this exploit is executed within the context of the current user's privileges. Implementing proper access control could mitigate the impact of this vulnerability

MS16-006 addresses CVE-2016-0034, a remote code execution vulnerability in Silverlight. This vulnerability manifests as a result of decoding a string with a malicious decoder that can ultimately return incorrect offsets, allowing the overwrite of unsafe object headers in memory. Exploitation of this vulnerability is achievable through crafting a specifically written Silverlight application that could then be embedded on a web page. A user who visits this web page with the malicious Silverlight applet could then be compromised if running a vulnerable version of Silverlight. Silverlight versions prior to 5.1.41212.0 are identified as vulnerable.

Bulletins Rated Important Microsoft bulletins MS16-007, MS16-008, and MS16-010 are rated as important in this month's release.

MS16-007 addresses six vulnerabilities in Windows Vista through Windows 10. Four of the vulnerabilities addressed are flaws that manifest due to improper validation of input before loading dynamic link library (DLL) files. As a result, privilege escalation (CVE-2016-0014, CVE-2016-0020) and remote code execution vulnerabilities (CVE-2016-0016, CVE-2016-0018) are present.

An arbitrary code execution vulnerability is also present in Microsoft DirectShow (CVE-2016-0015) due to incorrect validation of user input. Exploitation of this vulnerability is achievable if a targeted user opens a specifically crafted file designed to exploit this flaw.

The final vulnerability patched is a Remote Desktop Protocol security bypass in Windows 10 (CVE-2016-0019) that manifests when Windows fails to prevent remote logins to accounts without a password.

MS16-008 addresses two vulnerabilities in the Windows Kernel. Both vulnerabilities (CVE-2016-0006, CVE-2016-0007) are privilege escalation flaws that manifest when Windows incorrectly re-parses points set by a sandbox application. An authenticated attacker could exploit these vulnerabilities by running a specifically written application that is designed to exploit either of these two flaws.

MS16-010 addresses four vulnerabilities in Microsoft Exchange Server 2013 and 2016. All four vulnerabilities are Spoofing flaws that manifests when Outlook Web Access fails to properly handle web requests. As a result, an attacker who exploits these flaws could perform script or content injection attacks, attempt to fool the user into disclosing sensitive information, or redirect the user to a malicious website that could host other malicious content.

Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 37257-37284