J003-Content-PatchTue_SQFebruary is the shortest month of the year, so you might think it would have the fewest security updates, but that proved to be only wishful thinking when Microsoft released this month’s slate of vulnerability fixes. Obviously not superstitious, the company put out 13 patches for Windows client and server operating systems, Office, the .NET Framework and Adobe Flash on Windows.  Six of these are rated critical and the rest are classified as important.

Windows users also need to be aware that Oracle released an emergency patch for Java installers on Windows. We’ll cover that in more detail in this month’s Third Party Patch Roundup later in the month, but if you’re doing a new installation of Java 6, 7 or 8 on a Windows machine, be sure to get this updated installer as it has a high severity rating. According to Oracle, existing installations of Java are not at risk. Read more about the emergency Java patch here.

In other security-related news this month, if you’ve upgraded to Windows 10, you might want to check out Microsoft’s new web site that’s dedicated to Windows 10 security.  It contains a lot of good information that you can use to explain to both management and users the security benefits of the new operating system.

Now here we go with some details about this month’s patches. Remember how last month’s patches skipped a number, going from MS16-008 to -010?  Well, the missing 009 has been found and is included in this month’s updates. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at: https://technet.microsoft.com/en-us/library/security/ms16-Feb

Critical

MS16-009 (KB3134220) This is the usual cumulative update for Internet Explorer that we have come to expect every month. It applies to IE 9, 10 and 11 running on Windows Vista, 7, 8.1 and 10 as well as RT 8.1, and Windows Server 2008, 2008 R2, 2012 and 2012 R2. It is rated critical on client machines and moderate on servers.

The update addresses 13 vulnerabilities, including multiple memory corruption issues, a pair of elevation of privilege issues, a spoofing vulnerability and a DLL loading remote code execution vulnerability. The memory corruption flaws can also be exploited to achieve remote code execution.  There are no identified mitigations or workarounds.

The update fixes the problems by changing the way IE handles objects in memory and how OLE validates input, as well as fixing the way HTTP responses are parsed and ensuring that cross domain policies are enforced properly.

MS16-011 (KB3134225) This is a cumulative update for the new Edge browser, similar to the IE cumulative update. Of course it only applies to Windows 10 machines since Edge only runs on that OS. This includes 32 and 64 bit Win 10 and also version 1511.  It is rated critical on client operating systems and moderate on servers.

The update addresses fewer vulnerabilities than the IE update – only six. Four of these are memory corruption issues, one is the spoofing vulnerability, and there is also an ASLR bypass vulnerability in this batch. The memory corruption issues can be exploited to accomplish remote code execution, thus the critical rating on Windows clients.

The update fixes the problems by changing the way IE handles objects in memory and fixing the way HTTP responses are parsed, and ensures that Edge implements the ASLR security feature properly.

MS16-012 (KB3138938) This is an update to the Windows PDF Library that affects Windows 8.1, Windows 10 and Server 2012 and 2012 R2, including the server core installation. It is rated critical on all affected systems.

The update addresses two vulnerabilities. One is a PDF library buffer overflow and the other is a Microsoft Windows Reader vulnerability. Both can be exploited to achieve remote code execution. Windows Reader is the PDF reader app that is shipped with Windows 8 and above for reading PDF, XPS and TIFF files without installing Adobe Reader.

The update fixes the problems by modifying the way memory is handled by the PDF library and changing the way the Windows Reader app parses files.

MS16-013 (KB3134811) This is an update to the Windows Journal component in all supported versions of Windows: Windows Vista, 7, 8.1 and 10, and all supported editions of Windows Server 2008, 2008 R2, 2012 and 2012 R2.  It is rated critical for all affected systems.

The update addresses a single memory corruption vulnerability in Windows Journal, which is a notetaking application that has been included in Windows since XP. The vulnerability can be exploited to achieve remote code execution. Note that Journal is not installed by default on Windows Server On 2008 R2, 2012 and 2012 R2, it is only installed if you have enabled Ink and Handwriting Services and on Server 2008, it is only installed if you enabled the Desktop Experience feature. If Journal is not installed on your server, this update won’t be offered.

The update fixes the problem by changing the way the Journal parses files.  There is a workaround published in the security bulletin, which involves turning off the Tablet PC Components in Vista or Windows 7, or removing the .jnt file type by editing the registry. For instructions on doing so, see the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-013.aspx

MS16-015 (KB3134226) This is an update for Microsoft Office that affects currently supported versions of Office: 2007, 2010, 2013, 2013 RT and 2016 for Windows, Office 2011 and 2016 for Mac, the Office Compatibility Pack SP3, and the Excel and Word Viewers. It is rated Critical for some versions and Important for others.  Also affected are Office Services, SharePoint Services 2010 and 2013, and Web Apps 2012 and 2013, as well as SharePoint Server and SharePoint Foundation 2013 with SP1.

The update addresses six vulnerabilities in Office applications, four of which affect the Office Services and SharePoint. All of these are memory corruption issues and can be exploited to achieve remote code execution. There is also an elevation of privilege issue.

The update fixes the problems by changing the way Office handles objects in memory. There are no identified mitigations or workarounds and none of these vulnerabilities are known to have been exploited prior to the patch release, although the SharePoint XSS vulnerability addressed by this update had been publicly disclosed.

MS16-022 (KB3135782) The last of this month’s critical updates is a security update for Adobe Flash Player running on Windows RT8.1 and Windows 10 (including version 1511) as well as Server 2012 and 2012 R2, using IE 10 or 11 or Microsoft Edge.  It is rated critical for all affected client systems and moderate for servers.

The update addresses 22 vulnerabilities in Flash Player, which are described in more detail in Adobe’s security bulletin APSB 16-04 and which we will discuss in more detail in the Third Party Patch Roundup. The most severe can be exploited to accomplish remote code execution. There are both mitigations and workarounds published in the security bulletin, which you can find at https://technet.microsoft.com/en-us/library/security/ms16-022.aspx . The workarounds include using Group Policy or editing the registry to prevent Adobe Flash Player from running.

The update fixes the problems by updating the Flash libraries that are included in the IE and Edge web browsers.

Important

MS16-014 (KB3134228) This is an update to the Windows OS that affects all supported versions of the operating system: Vista, 7, 8.1, 10 and RT 8.1, as well as Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It is rated important for all affected systems.

The update addresses five vulnerabilities. These include three DLL loading RCE vulnerabilities, one elevation of privilege issue and a Kerberos Security Feature bypass. Not all of the vulnerabilities are applicable to all of the operating system versions and editions. The most severe can be exploited to accomplish remote code execution, but the attacker would have to be able to log onto the target system, thus the important rating rather than critical.

The update fixes the problems by making changes to the way the Windows kernel handles objects in memory, the way Windows validates input before loading DLL files, and the way the Sync Framework validates input, and also adds an additional authentication check.

MS16-016 (KB3136041) This is an update to WebDAV in Windows, and it affects Windows  Vista, 7, 8.1, RT 8.1 and 10 as well as Server 2008, 2008 R2, 2012, 2012 R2. It is rated Important for the older operating systems (Vista, 7 and Server 2008/2008 R2) and moderate for the rest.

The update addresses a single vulnerability in the WebDAV component. WebDAV is the Web Distributed Authoring and Versioning extension to HTTP that is used for editing and management of remote web content. It’s an IETF standard that has support built into most modern operating systems. The vulnerability is an elevation of privilege issue with a relatively low severity rating because although it could be used to execute arbitrary code with elevated privileges, the attacker would have to be able to log onto the system to exploit it.

The update fixes the problem by changing the way WebDAV validates input.

MS16-017 (KB3134700) This is an update to the Remote Desktop Display Driver in Windows and affects Windows 7, 8.1 and 10 as well as Server 2012 and 2012 R2, but only those machines on which Remote Desktop Protocol (RDP) is enabled.

The update addresses a single vulnerability in RDP that could be used by an attacker to run a specially crafted file that crashes the system and leads to elevated privileges in order to execute code with elevated privileges. However, RDP is not enabled by default in Windows, and the attacker would have to be able to establish an authenticated connection to the target system over RDP. There is a workaround that involves disabling RDP via Group Policy. You can find the instructions to do so in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-017.aspx .

The update fixes the problem by changing the way RDP handles objects in memory.

MS16-018 (KB3136082) This is an update for the Windows kernel mode drivers that affects all supported versions of Windows: Windows Vista, 7, 8.1, RT 8.1 and 10, and all supported editions of Windows Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations.  It is rated Important for all affected systems.

The update addresses a single elevation of privilege vulnerability in the kernel mode driver whereby the driver does not handle objects in memory properly. This means an attacker could potentially run arbitrary code in kernel mode. However, the attacker would have to be able to first log onto the system to exploit this vulnerability, thus the Important rating instead of Critical. There are no mitigations or workarounds published.

The update fixes the problem by changing the way the Windows kernel mode driver handles objects in memory.

MS16-019 (KB3137893) This is an update to the Microsoft .NET Framework versions 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6 ad 4.6.1 running on Windows Vista, 7, 8.1, RT 8.1 and 10, as well as Server 2008, 2008 R2, 2012 and 2012 R2, including server core installations. It is rated Important on all affected systems.

The update addresses two vulnerabilities. One is a Stack Overflow vulnerability that could be exploited to create a denial of service condition by causing performance to degrade, by inserting a specially crafted Extensible Stylesheet Language Transformations (XSLT) in an XML web part. There are no published mitigations but there is a workaround that involves not loading XSLT stylesheets from untrusted sources.  The second vulnerability is in .NET’s WinForms (Windows Forms) and can lead to information disclosure. There are no published mitigations or workarounds for this one.

The update fixes both problems by changing the way WinForms validates decoder results and also changing the way .NET Framework handles XSLT.

MS16-020 (KB3134222) This is an update to the Active Directory Federation Services (AD FS) version 3.0 installed on Windows Server 2012 R2, including the server core edition. It is rated Important.

The update addresses a single vulnerability in AD FS that could be exploited to create a denial of service condition by sending specific input during forms-based authentication. There are no published mitigations or workarounds for this vulnerability.

The update fixes the problem by adding more checks on input data during the forms-based authentication process.

MS16-021 (KB3133043) This is an update for the Network Policy Server (NPS) RADIUS server in Windows Server 2008 and 2008 R2, and Server 2012 and 2012 R2, including server core installations. It is rated Important for all affected systems.

The update addresses a single vulnerability that could be exploited to create a denial of service condition by sending specially crafted username strings to the NPS server. There are no published mitigations or workarounds for this.

The update fixes the problem by changing the way NPS parses username queries in RADIUS.