January 2016 Patch Tuesday

BeyondTrust Research Team, January 12th, 2016

patch tuesday

The New Year brings with it a new Patch Tuesday, with this month’s vulnerability count totaling 30. A surprising new twist is that Internet Explorer is only patched for two vulnerabilities this month, possibly due to Microsoft’s discontinued support for IE 8, 9, and 10 versions. Also, MS16-009 was left out of loop, so we’ll be anticipating it to pop up in February.

MS16-001: Cumulative Security Update for Internet Explorer (3124903)

Starting off the year, this critically-rated update resolves just two vulnerabilities within Internet Explorer. IE’s VBScripting engine continues to be a popular target among researchers and is responsible for another memory corruption vulnerability this month. Accompanying it is an elevation-of-privilege vulnerability arising from IE improperly enforcing cross-domain policies.

MS16-002: Cumulative Security Update for Microsoft Edge (3124904)

Edge is also updated for just two vulnerabilities, however in this case, both are caused by memory corruption potentially leading to remote code execution. In a typical attack scenario, an attacker will host a specially crafted website and convince the victim to browse to it. That said, successful exploitation is limited to the rights of the current user.

MS16-003: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)

This bulletin addresses a memory corruption vulnerability within Microsoft’s JScript and VBScript engines and is also the underlying cause of Internet Explorer’s memory corruption vulnerability. As was the case with IE, remote code execution is possible making this a critically-rated vulnerability.

MS16-004: Security Update for Microsoft Office to Address Remote Code Execution (3124585)

Office returns this year with five vulnerabilities, two of which are memory corruptions potentially leading to remote code execution. These issues are caused by improper handling of objects in memory. Two security feature bypasses are also patched in Sharepoint which allowed attackers to conduct cross-site scripting attacks. Finally, an ASLR bypass is fixed which doesn’t allow arbitrary code execution, but can assist an attacker in successfully exploiting a separate vulnerability.

MS16-005: Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)

Kernel mode drivers are back this year with remote code execution and ASLR bypass vulnerabilities. The remote code execution vulnerability was publically disclosed as CVE-2016-0009, however Microsoft was unaware of any attacks that utilized it.

MS16-006: Security Update for Silverlight to Address Remote Code Execution (3126036)

The Silverlight runtime is patched for a critical remote code execution vulnerability when decoding strings. An attacker can utilize a specially crafted decoder to replace unsafe object headers with malicious content. Successful exploitation can lead to arbitrary code execution with the same permissions as the current user.

MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901)

This bulletin addresses Four DLL hijacking vulnerabilities, a security feature bypass within RDP and a heap corruption vulnerability within DirectShow. The RDP vulnerability allows remote logon to accounts without passwords on Windows 10 hosts running RDP services.

MS16-008: Security Update for Windows Kernel to Address Elevation of Privilege (3124605)

The Windows kernel is patched for two privilege escalation vulnerabilities that are caused by Mount Point while validating reparse points set by sandbox applications. Once successfully exploited, an attacker could utilize this vulnerability in conjunction with a code execution vulnerability to take complete control of a system.

MS16-010: Security Update for Microsoft Exchange Server to Address Spoofing (3124557)

Finishing up the month, Exchange Server is patched for four address spoofing vulnerabilities. The issues lie within Outlook Web Access when improperly handling certain web requests, allowing remote attackers to perform script or injection attacks.