April 2016 Patch Tuesday

BeyondTrust Research Team, April 12th, 2016

patch tuesday

April’s Patch Tuesday offers up 13 bulletins which include the typical misfits – IE, Edge, and Office. That’s not to say there weren’t any interesting products that were patched. For example, the remote protocols SAM and LSAD came under fire with the “Badlock” vulnerability, which is susceptible to a man-in-the-middle attack. Additionally, Adobe Flash Player (which seems to now be integrated with Patch Tuesday) addresses an actively exploited vulnerability which allows for arbitrary remote code execution! Overall, 40 vulnerabilities were patched, making this a moderately sized Patch Tuesday.

MS16-037: Cumulative Security Update for Internet Explorer (3148531)

First off, Internet Explorer gets its monthly dose of patches which resolves a DLL hijack, an information disclosure, and four memory corruption vulnerabilities. These memory corruption vulnerabilities could allow an attacker to exploit them remotely via a specially crafted website, giving this bulletin a critical rating.

MS16-038: Cumulative Security Update for Microsoft Edge (3148532)

Edge also receives its monthly does of patches resolving two elevation of privileges and four memory corruption vulnerabilities. Much like IE, this bulletin is critically-rated due to the remote exploitation potential of the memory corruption vulnerabilities.

MS16-039: Security Update for Microsoft Graphics Component (3148522)

Next up, Microsoft Graphics is patched for a critical memory corruption vulnerability and three elevation of privilege (EoP) vulnerabilities. The EoP vulnerabilities are caused by Windows’ kernel-mode driver not properly handling objects in memory and can allow an attacker to run arbitrary code in kernel mode. The memory corruption vulnerability is caused by improperly handling embedded fonts which an attacker can implant within a document or webpage.

MS16-040: Security Update for Microsoft XML Core Services (3148541)

XML Core Services is patched this month for a critical remote code execution vulnerability. The issue lies within the MSXML parser when trying to process user input. An attacker could exploit the vulnerability by hosting a malicious website designed to invoke MSXML through internet explorer.

MS16-041: Security Update for .NET Framework (3148789)

.NET is patched for a vulnerability which occurs from not validating user input on library loading. Successful exploitation could allow an attacker to take control of the affected machine if they had access to the local filesystem. Users whose accounts are configured with fewer privileges are less impacted because exploitation occurs in the same account context.

MS16-042: Security Update for Microsoft Office – Critical (3148775)

This bulletin resolves four memory corruption vulnerabilities within Microsoft Office. The issue involves Office not properly handling objects in memory allowing a remote attacker to execute arbitrary code in the context of the current user. Three of these vulnerabilities are rated as “important” however, for CVE-2016-0127, the attack vector is through the Preview Pane and is considered critical.

MS16-044: Security Update for Windows OLE (3146706)

Windows OLE is patched for an important vulnerability caused by improper validation of user input. A remote attacker could convince a user to open a malicious file or webpage and execute arbitrary code.

MS16-045: Security Update for Windows Hyper-V (3143118)

Next in line, Hyper-V is patched for three vulnerabilities consisting of a remote code execution and two information disclosures. These vulnerabilities are caused by Hyper-V failing to validate input from an authenticated user on a guest operating system. Note, however, the Hyper-V role must be enabled on the system for this vulnerability to be applicable.

MS16-046: Security Update for Secondary Logon (3148538)

This bulletin resolves an issue with the Secondary Logon service of Windows 10 systems. An attacker could potentially elevate their privileges and execute code in the Administrator context. This issue is caused from Secondary logon failing to manage requests in memory.

MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527)

The Security Account Manager (SAM) and Local Security Authority Domain Policy (LSAD) remote protocols have come under fire recently as this bulletin resolves a Remote Procedure Call (RPC) downgrade vulnerability, which occurs during the establishment of an RPC channel when accepting authentication levels. A Man-In-The-Middle attacker could force a downgrade and then impersonate an authenticated user. This vulnerability was discovered by Stefan Metzmacher of the international Samba Core Team and has labeled it as “Badlock.” Note there are several exploitation proof-of-concepts circulating, so this vulnerability should not be taken lightly.

MS16-048: Security Update for CSRSS (3148528)

Next, the Client-Server-Run-time Subsystem (CSRSS) is patched for a security bypass vulnerability which an attacker could exploit to run arbitrary code in the Administrator context. The issue is caused by CSRSS failing to validate process tokens in memory.

MS16-049: Security Update for HTTP.sys (3148795)

This bulletin addresses a Denial of Service vulnerability within Windows’ HTTP driver. The issue arises when HTTP.sys improperly parses specially crafted HTTP 2.0 requests causing the affected system to become unresponsive.

MS16-050: Security Update for Adobe Flash Player (3154132)

Last, but certainly not least, Adobe Flash Player is patched for ten vulnerabilities affecting Windows 8.1-and-above systems. The vulnerabilities can allow a remote attacker to execute arbitrary code and there are reports of CVE-2016-1019 being actively exploited prior to this bulletin release.