May 2016 Patch Tuesday

BeyondTrust Research Team, May 11th, 2016

Patch Tuesday

This month’s Patch Tuesday ushers in a whopping 16 bulletins, 8 of which are critical. All-in-all, 57 vulnerabilities are addressed. A few interesting things to note about this month – Internet Explorer and the JScript/VBScripting engine are patched for a vulnerability that is currently being exploited. That’s not to say it’s the only one this month! Adobe Flash Player gets in on the action resolving an actively exploited vulnerability of its own. Another note-worthy issue is within .NET, which is patched for a TLS/SSL vulnerability that could allow remote attackers to decrypt traffic.

MS16-051: Cumulative Security Update for Internet Explorer (3155533)

Starting off in the usual fashion, Internet Explorer is patched for critical vulnerabilities consisting of a memory corruption within the browser, a security bypass, and two memory corruptions within the JScript and VBScript engines. This bulletin is closely related to MS16-053, however this one resolves the IE attack vector. IE users should take extra care ensuring this patch is applied due to CVE-2016-0189 being actively exploited in the wild.

MS16-052: Cumulative Security Update for Microsoft Edge (3155538)

Edge also goes under the knife, being patched for four memory corruption vulnerabilities, three of which occurring within the Chakra scripting engine. The other one occurs within the browser itself and is caused by improperly accessing objects in memory, allowing for arbitrary code execution in the context of the current user.

MS16-053: Security Update for JScript and VBScript (3156764)

As mentioned earlier, this bulletin is closely related to MS16-051, this one however patches two underlying JScript and VBScript memory corruption vulnerabilities at its source. Again, there are reports of CVE-2016-0189 being actively exploited in the wild and users should ensure that this patch is applied. It should also be noted, VBScript 5.7 is only affected by CVE-2016-0189, while JScript and VBScript 5.8, existing on Server 2008R2 CORE, are affected by both CVE-2016-0189 and CVE-2016-187.

MS16-054: Security Update for Microsoft Office (3155544)

And what would a Patch Tuesday be without our dear friend Office? This bulletin resolves four memory corruption vulnerabilities, which can allow for remote code execution. Three are caused by Office software improperly handling objects in memory while the fourth is due to improperly handling specially crafted embedded fonts. In this case, typical attack scenarios are web, email, and document based.

MS16-055: Security Update for Microsoft Graphics Component (3156754)

Microsoft Graphics component is patched for five vulnerabilities, consisting of two information disclosures, caused by the GDI component disclosing memory contents; a remote code execution vulnerability, due to improper handling of memory objects; a Use-After-Free vulnerability within Direct3D; and finally, a memory corruption vulnerability within the Windows Imaging component.

MS16-056: Security Update for Windows Journal (3156761)

Journal returns to the scene, being patched for another remote code execution vulnerability. The problem occurs when Journal attempts to process a specially crafted .jnt file, which a remote attacker can send to an unsuspecting victim, resulting in memory corruption. Execution occurs in within the context of the current user, therefore accounts with fewer user rights are less impacted.

MS16-057: Security Update for Windows Shell (3156987)

Windows Shell is patched for a critical remote code execution vulnerability caused by improper handling of objects in memory. A typical attack scenario would be an attacker convincing a victim to browse to a malicious webpage designed to exploit the vulnerability. Similar to the previous bulletin, the execution again occurs within the context of the current user.

MS16-058: Security Update for Windows IIS (3141083)

Microsoft Internet Information Services (IIS) is patched this month for a DLL loading vulnerability which can lead to arbitrary code execution. Successful exploitation depends on file access where an attacker could plant a specially crafted DLL which is then loaded by IIS.

MS16-059: Security Update for Windows Media Center (3150220)

Media Center returns with a remote code execution vulnerability occurring when Media Center processes .mcl files. This vulnerability is also limited to the context of the current user upon exploitation, but that is what Elevation of Privilege vulnerabilities are for, like in the next bulletin.

MS16-060: Security Update for Windows Kernel (3154846)

This bulletin resolves an Elevation of Privilege vulnerability within Windows kernel. The issue involves improper handling of symbolic links which could potentially give access to registry keys, allowing an attacker to elevate their privileges.

MS16-061: Security Update for Microsoft RPC (3155520)

A remote code execution vulnerability is patched within Microsoft’s Remote Procedure Call (RPC) Network Data Representation Engine. The issue occurs when Windows handles specially crafted RPC requests and then improperly frees the associated memory. Successful exploitation requires authenticated access to issue the necessary RPC requests, limiting the attack surface for this vulnerability.

MS16-062: Security Update for Windows Kernel-Mode Drivers (3158222)

Kernel mode drivers are back with a vengeance this month, with seven vulnerabilities being patched. These consist of – four Elevation of Privilege vulnerabilities resulting from the win32k driver failing to properly handle objects in memory; a security feature bypass vulnerability also within the win32k driver, allowing an attacker access to kernel memory addresses which can be used to bypass Address Space Layout Randomization (ASLR); and finally, two Kernel Elevation of Privilege vulnerabilities occurring in the DirectX Graphics driver (dxgkrnl.sys) when it incorrectly maps kernel memory.

MS16-064: Security Update for Adobe Flash Player (3157993)

Microsoft has included Adobe Flash Player in this bulletin, which resolves 24 vulnerabilities within Flash Player. The associated Adobe advisory for this is ASA16-02, which states that CVE-2016-4117 is actively being exploited in Flash Player versions 21.0.0.226 and below. Interestingly, Adobe has withheld releasing the associated bulletin until later in the week, perhaps indicating another critical vulnerability is in the process of being patched. If this is the case, Microsoft may update their bulletin to include this, so we’ll be keeping an eye out for this.

MS16-065: Security Update for .NET Framework (3156757)

.NET is patched for a vulnerability within the TLS/SSL protocol which can allow an attacker to decrypt TLS/SSL traffic. The patch resolves the issue by splitting the first TLS record after the initial connection handshake and is only applied to applications that use TLS1.0 + Cipher Block Chaining, but not when using TLS 1.1 or 1.2.

MS16-066: Security Update for Virtual Secure Mode (3155451)

This bulletin resolves a security bypass vulnerability within Virtual Secure Mode. The issue is cause by Windows incorrectly allowing certain kernel-mode pages to be marked as Read, Write, and Execute even with Hypervisor Code Integrity enabled.

MS16-067: Security Update for USB Driver (3155784)

Last, but certainly not least, Windows is patched for a vulnerability that exists when USB disks are mounted over RDP. An attacker could potentially gain access to the drive from within a different session from which it was mounted on. The patch ensures that access is properly enforced to prevent non-mounting session access.