February 2016 Patch Tuesday

BeyondTrust Research Team, February 9th, 2016

patch tuesday

February’s Patch Tuesday contains some new aspects which have not been previously seen in months past. One being the inclusion of Adobe Flash Player, which is usually disclosed in Microsoft Security Advisories. Additionally, Windows Reader and PDF library join the party signifying that Microsoft Apps may be a new target for attackers and security researchers. Finally, MS16-009 makes its appearance after being absent from January’s Patch Tuesday. Overall, this month consists of 13 bulletins, six of which are critically-rated. 63 vulnerabilities are addressed in total, with 22 coming from Adobe Flash Player.

MS16-009: Cumulative Security Update for Internet Explorer (3134220)

Starting off this month, Internet Explorer is updated for one DLL hijacking, one information disclosure, eight memory corruptions, one spoofing, and two elevation of privilege vulnerabilities, totaling 13 in all. What sets this update apart from any other IE update is that this month only targets three versions of IE – 9, 10, and 11 due to Microsoft ending support for other versions last month.

MS16-011: Cumulative Security Update for Microsoft Edge (3134225)

Skipping over MS16-010, this update addresses one spoofing, one ASLR bypass, and four memory corruption vulnerabilities within the Edge browser. The worst of these being memory corruption, due to the fact that these types of vulnerabilities almost always lead to code execution.

MS16-012: Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3138938)

New to the vulnerability scene is Windows Reader, which is only available on Windows 8.1 and above via the app store. This update resolves two issues within Reader and Windows’ PDF Library which contains a classic buffer overflow while Reader suffers from memory corruption, making this bulletin critically-rated.

MS16-013: Security Update for Windows Journal to Address Remote Code Execution (3134811)

This bulletin updates Journal for one memory corruption vulnerability potentially leading to remote code execution when opening a specially crafted Journal file. The exploitation is limited to the current user rights upon opening a malicious file, so as always, it’s important to practice the principal of least privileges.

MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)

This important-rated bulletin updates an elevation of privilege, a Kerberos security bypass, and three DLL hijacking vulnerabilities. The Kerberos bypass is the result of failing to check when a user’s password has been changed. Meanwhile, the DLL hijacking vulnerabilities require an attacker to have prior access to the file system in order to plant malicious DLL files which execute arbitrary code.

MS16-015: Security Update for Microsoft Office to Address Remote Code Execution (3134226)

Office rears its monthly flaws, consisting of one cross-site scripting and six memory corruption vulnerabilities. For three of these memory corruption vulnerabilities, the preview pane within various Office products is the attack vector. Typical attack scenarios involve email phishing attacks and malicious web site hosting, reminding us that it’s important to exercise caution whenever opening email attachments or visiting unknown webpages.

MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041)

For this bulletin, Microsoft’s Web Distributed Authoring and Versioning (WebDAV) is updated for one elevation of privilege vulnerability. The issue is caused when improperly validating user input. An attacker would already need access to the system to run a specially crafted application, exploiting this vulnerability to run arbitrary code with elevated privileges.

MS16-017: Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700)

RDP is back with one elevation of privilege vulnerability. Similarly to MS16-016, this vulnerability requires an attacker to already have access to a target system to execute a specially crafted application locally.

MS16-018: Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3136082)

This bulletin updates another elevation of privilege vulnerability within Windows kernel-mode drivers. Specifically, the win32k.sys driver does not properly handle objects in memory allowing an attacker to use this in conjunction with other attacks to further compromise a system.

MS16-019: Security Update for .NET Framework to Address Denial of Service (3137893)

The .NET framework is updated for one memory corruption and one information disclosure vulnerability. The memory corruption vulnerability, due to a classic stack overflow from improperly handling XSLT transformations, results only in a denial of service, rendering this bulletin as important-rated.

MS16-020: Security Update for Active Directory Federation Services to Address Denial of Service (3134222)

This bulletin updates a denial of service vulnerability within Active Directory Federation Services (ADFS).  The vulnerability stems from improperly handling user supplied data during forms-based authentication, causing the server to become non-responsive.

MS16-021: Security Update for Network Policy Server RADIUS implementation to Address Denial of Service (3133043)

Another denial of service vulnerability exists within Network Policy Server. This vulnerability occurs when an attacker supplies specially crafted usernames to the server, preventing RADIUS authentication and resulting in a denial of service.

MS16-022: Security Update for Adobe Flash Player (3135782)

Last but not least, Adobe Flash Player is included in a Microsoft bulletin for the first time, whereas up to this point, issues were previously disclosed in Microsoft Security Advisories. This bulletin corresponds to Adobe’s own APSB16-04 advisory which contains 22 serious vulnerabilities affecting Internet Explorer and Edge, making this a critically-rated bulletin.