J003-Content-PatchTue_SQSpring is in the air, and the swallows have returned to north central Texas and are busily building their nests under the eaves of our house, as they do every year. They say April showers bring May flowers (and Mayflowers bring pilgrims – an oldie but goodie), but here in the DFW area, our recent “showers” have been destroying the flowers, as well as roofs and patio furniture and the windows of home and cars. We’ve had two hail storms in the last few weeks, with baseball-sized chunks of ice plummeting out of the sky on an 88° F day. Crazy weather.

Sometimes IT pros feel as if we’re being figuratively pummeled as the security vulnerabilities – and the patches to fix them – come at us fast and furiously.  Am I the only one who wistfully remembers those five-patch months? Microsoft seems to be stuck on the concept of “lucky thirteen” lately, as this is the third month in a row that they’ve released that number of updates on Patch Tuesday.

This time we have three that are rated critical, with the rest classified as important. There’s an Adobe Flash update, the obligatory IE and Edge cumulative updates, and the rest are for Windows, Office and .NET Framework.  It’s a case of the usual suspects: remote code execution and elevation of privilege issues, along with one denial of service vulnerability and a security features bypass.

Let’s take a look at each of these patches in more detail. You might notice that we have a missing number in the sequence: MS16-043 was not issued in the Patch Tuesday batch. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at
https://technet.microsoft.com/en-us/library/security/ms16-Apr

Critical

MS16-037 (KB 3148531) This is the usual cumulative update for Internet Explorer that we have come to expect every month. It applies to IE 9, 10 and 11 running on Windows Vista, 7, 8.1 and 10 as well as RT 8.1, and Windows Server 2008, 2008 R2, 2012 and 2012 R2. It is rated critical on client machines and moderate on servers.

This one covers only six vulnerabilities (far fewer than last month’s 13) and four of them are related to memory corruption issues. They can be exploited to accomplish remote code execution, which could allow an attacker to take control of the system – thus, the critical rating. There is another RCE vulnerability that’s caused by improper validation of input before loading DLL files, as well as well as information disclosure vulnerability that occurs because of improper handling of JavaScript. That one could be used to read data on the computer that wasn’t supposed to be disclosed.

The update fixes the problems by changing the way IE handles objects in memory, changing the way IE validates input before loading DLLs, and restricting the information returned to IE.

MS16-038 (KB3148532) This is the usual cumulative update for Microsoft Edge, the new web browser that’s built into Windows 10. It applies to all versions of Windows 10, and is rated critical for all.

Like the IE update, this one addresses six vulnerabilities – but they aren’t the same six. It fixes the memory corruption issues but also addresses two elevation of privilege vulnerabilities. These latter two are rated only moderate. One pertains to the enforcement of cross-domain policies that could be exploited to access information from one domain and inject it into another, and a JavaScript vulnerability that could be used to run a script with elevated privileges.

The update fixes the problems by changing the way Edge handles objects in memory and by ensuring that cross-domain policies are properly enforced.

MS16-039 (KB3148522) This is an update for the Microsoft graphics component in Windows. It applies to all supported client and server releases of Windows, as well as affected versions of the .NET Framework and affected versions of Skype for Business 2016 and Lync 2010 and 2013. It’s rated critical for the above, and rated important for Microsoft Office 2007 and 2010.

The update addresses four vulnerabilities. The most serious of these is the Graphics Memory Corruption vulnerability, which affects all of the software listed above and is rated critical for all except Office. This is caused by improper handling of maliciously crafted embedded fonts by the Windows font library and can be exploited to accomplish remote code execution. The remaining three vulnerabilities are all elevation of privilege issues that in themselves are rated important. These are due to the failure of the kernel-mode driver properly handle objects in memory.

The update fixes the problems by correcting the way the font library handles embedded fonts and the way the kernel-mode driver handles objects in memory.

MS16-040 (KB 3148541) This is an update to the Microsoft XML Core Services in Windows. It applies to all currently supported client and server releases of Windows, including Windows RT, 10 and server core installations, and is rated critical for all.

The update addresses a single remote code execution vulnerability in MSXML 3. 0 that happens when the MSXML parser processes input from users.

The update fixes the problem by changing the way the MSXML parser processes user input.

MS16-042 (KB 3148775) This is an update for Microsoft Office. It applies to Office 2007, 2010, 2013, 2013 RT, and 2016 for Windows, 2011 and 2016 for Mac, the Office Compatibility Pack SP3, the Excel and Word Viewers and Office Web Apps 2010 and 2013, along with SharePoint Server 2007, 2010 and 2013. It is rated critical.

The update address four memory corruption vulnerabilities that could be exploited to accomplish remote code execution. There are workarounds for two of the vulnerabilities, which involve using Microsoft Office File Block policy by editing the registry. Full instructions can be found in the security bulletin at https://technet.microsoft.com/library/security/MS16-042.

The update fixes the problems by correcting the way Office handles objects in memory.

MS16-050 (KB 3154132) This is an update for the Adobe Flash Player running on Windows. It affects the Flash libraries in IE 10 and 11 and Edge, running on Windows 8.1, RT 8.1, and 10 as well as Server 2012 and 2012 R2. It does not affect the server core installations of Windows Server, which by default do not run a web browser. It is rated critical on client operating systems and moderate on servers.

The update addresses 10 vulnerabilities in Adobe Flash, which include type confusion, memory layout randomization bypass, use-after-free vulnerabilities, stack overflow, security bypass and directory search path vulnerabilities, and multiple memory corruption issues. There are mitigations and workarounds listed and described in the security bulletin at https://technet.microsoft.com/library/security/MS16-050.

The update fixes the problems by correcting these issues, as described in Adobe’s security bulletin APSB16-10 at https://technet.microsoft.com/library/security/MS16-050.

Important

MS16-041 (KB3148789) This is an update to the .NET Framework in Windows. It applies to versions 4.6 and 4.6.1 on Vista, Windows 7, Server 2008 and 2008 R2, including the Server Core installation. It is rated important for all versions.

The update addresses a single vulnerability in these versions of .NET Framework that occurs when input is improperly validated before loading libraries. It could be exploited to accomplish remote code execution, but the attacker would have to be able to access the system locally and be able to run a malicious application, hence the important rating.

The update fixes the problem by changing the way .NET validates input when loading libraries.

MS16-044 (KB3146706) This is an update for the Object Linking and Embedding (OLE) component in Windows. It applies to Vista, Windows 7, Windows 8.1 and RT 8.1, Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installation. It does not affect Windows 10 and Server 2016. It is rated important on all affected operating systems.

The update addresses a single remote code execution vulnerability that occurs when OLE doesn’t properly validate user input, but to exploit it, the attacker would have to convince the user to open a specially crafted file or program from a web page or email message.

The update fixes the problem by changing the way OLE validates user input.

MS16-045 (KB 3143118) This is an update for Windows Hyper-V. It applies to Hyper-V in Windows 8.1 and 10 and in Server 2012 and 2012 R2. It is rated important on the affected systems.

The update addresses three vulnerabilities, two of which are information disclosure issues that occur when the Hyper-V host fails to properly validate input from authenticated users on the guest OS, and by which an attacker could gain access to information on the host OS. The other is a remote code execution vulnerability.

The update fixes the problems by changing the way Hyper-V validates guest operating system input from users.

MS16-046 (KB 3148538) This is an update for the Secondary Logon service in Windows. It applies only to Windows 10 (including version 1511). It is rated important.

The update addresses a single elevation of privilege vulnerability in the Secondary Logon service, which causes it to fail to properly manage requests in memory. This could allow an attacker to run arbitrary code as an administrator, but the attacker would have to be able to log onto the system first with valid credentials.

The update fixes the problem by changing the way the Secondary Logon service handles requests in memory.

MS16-047 (KB 3148527) This is an update for the Security Account Manager (SAM) and Local Security Authority Domain policy (LSAD) in Windows. It applies to all currently supported versions of Windows client and server operating systems, including server core installations. It is rated important for all.

The update addresses a single vulnerability that causes the SAM and LSAD remote protocols to fail to protect adequately when accepting authentication levels, which an attacker could exploit to gain access to the SAM database, where users’ passwords are stored.

The update fixes the problem by changing the way the SAM and LSAD remote protocols handle authentication levels.

MS16-048 (KB 3148528) This is an update for the Client-Server Run-time Subsystem (CRSSS) in Windows. It applies to It applies to Windows 8.1, RT 8.1, Windows 10 and Server 2012 and 2012 R2, including server core installations. It is rated important for all affected operating systems.

The update addresses a single security feature bypass vulnerability in CSRSS that occurs when the subsystem doesn’t properly manage process tokens in memory, which could allow an attacker to run arbitrary code as an administrator. However, the attacker would first have to be able to log onto the system.

The update fixes the problem by changing the way Windows manages process tokens in memory.

MS16-049 (KB  3148795) This is an update for the HTTP.sys component in Windows. It applies only to Windows 10, including version 1511. It is rated important.

The update addresses a single vulnerability in the HTTP 2.0 protocol stack that happens when it improperly parses specially crafted HTTP 2.0 requests, which could allow an attacker to launch a denial of service attack causing the system to become unresponsive.

The update fixes the problem by changing the way Windows handles HTTP 2.0 requests.