J003-Content-PatchTue_SQHere in Texas, the old year went out with a bang, not a whimper, as my suburban town was devastated by tornados that destroyed homes and businesses. Only a couple of weeks later, though, citizens have rallied together and are rebuilding. It’s a brand new year, and we’re determined to make our city better and stronger than ever.

That’s the same attitude that we have to have if our networks suffer from a security breach. The basic response strategy is the same whether we’re talking about a physical or digital disaster: assess the damage, repair it, and take preventative actions to better defend against it happening again.

Security updates comprise a big element in our defensive process. I’ve had the opportunity to talk in person with members of the Microsoft Security Response Center and those folks are hard at work all the time, working with security researchers both inside and outside the company and all over the world, to ferret out vulnerabilities in the software before the bad guys find and exploit them. It’s a never-ending race and unfortunately, there is no finish line. But these dedicated teams keep on running, like some sort of immortal marathoners, to stay ahead of the hackers, crackers and attackers.

To kick off the new year on this first Patch Tuesday of 2016, Microsoft is releasing nine updates, but the big news for January 12 is that Microsoft is ending support for Windows 8, as well as versions 8, 9 and 10 of Internet Explorer.  Well, sort of.  If you’ve seen the headlines declaring this, you might be confused by the fact that the cumulative update for IE does, in fact, apply to some of those earlier versions. Here’s the full story, straight from the Microsoft support web site:

Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.

What that means is that IE 9, for example, will be supported only on Vista SP2 and Server 2009 SP2 and IA64, IE 10 is only supported on Server 2012, and so forth. Even IE 7 and 8 are still getting updates – but only on Windows Embedded operating systems. You can find the entire lifecycle table here:
https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer

The slate of updates includes cumulative packages for both IE and Edge (as usual), four updates to Windows, one for Office, one for Silverlight, and one for Exchange Server.  Six of the updates are rated critical and the other three are classified as important.

If you’re observant, you might have noticed that this month’s updates begin with 001 and end with 010 – but there aren’t ten of them. 009 is missing in action.

So here we go with this month’s updates. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at:
https://technet.microsoft.com/library/security/ms16-jan

Critical

MS16-001 (KB 3124903) This is the regular cumulative update for Internet Explorer that applies to versions 7, 8, 9, 10 and 11 (all supported versions) on all currently supported Windows client and server operating systems. Server core installations that do not include a web browser are not affected. It is rated critical on Windows clients and moderate on the server operating systems. As noted above, as of the date of this release only the most recent version of IE available for each OS version is supported.

Surprisingly, this update addresses only two vulnerabilities. One is a scripting engine memory corruption issue and the other is an elevation of privilege vulnerability. The former can be used to accomplish remote code execution via a web-based attack or by embedding an ActiveX control in an Office doc or application. The latter occurs in instances where IE doesn’t properly enforce cross-domain policies. An attacker could exploit this through a web site hosted by the attacker or inserted in a legit site that accepts user-provided content. There is a workaround for the first vulnerability that you can find in the security bulletin.

The update fixes the problems by changing the way the VBScript engine handles objects in memory and ensuring that cross-domain policies are enforced.

MS16-002 (KB3124904) This is the regular cumulative update for the new Edge web browser that runs on Windows 10. It applies to all current supported builds of Edge on both 32 and 64 bit systems and is rated critical on all of them.

Like the IE update, this one addresses only two vulnerabilities and one is a scripting engine memory corruption vulnerability, this time in the Chakra JavaScript engine. The other is also a memory corruption issue, and either of these could be exploited via a web-based attack scenario to allow the attacker to gain the same rights as the current user. There are no identified mitigations or workarounds for either.

The update fixes the problems by changing the way Edge handles objects in memory and by modifying the handling of objects in memory by the Chakra scripting engine.

MS16-003 (KB3125540) This is an update for the JScript and VBScript components in Windows. It applies to only Windows Vista and Server 2008 (32 and 64 bit and Itanium) and 2008 R2 64 bit server core installation only. It is rated critical for all affected systems.

The update addresses a single vulnerability, which is a memory corruption issue in the scripting engine. This could be exploited by an attacker to remotely execute arbitrary code, by embedding an ActiveX control in an application or Office document or through a compromised or attacker-hosted web site containing exploit code. There is a workaround that involves restricting access to VBScript.dll via an administrative command prompt, but this could negatively impact any web sites that use VBScript. The instructions are available in the security bulletin.

The update fixes the problem by changing the way the VBScript engine handles objects in memory.

MS16-004 (KB3124585) This is an update for Microsoft Office that addresses multiple memory corruption vulnerabilities in Office applications. It affects Office 2007 SP3 and the individual Excel, PowerPoint, Visio and Word 2007 applications, Office 2010 SP2 and the same individual applications, Office 2013 SP1 and the same individual applications, Office 2016 and the same individual applications, Office 2013 RT and Excel, PowerPoint and Word 2013 RT, as well as Office for Mac 2011 and Office 2016 for Mac (Excel, Word and PowerPoint), the Office Compatibility Pack SP3 and the Excel and Word Viewers. The update is rated critical for all of the above affected software.

This update also applies to SharePoint Server 2013, SharePoint Foundation 2013 and the Visual Basic 6.0 Runtime, and is rated important for these products.

This update addresses two memory corruption vulnerabilities, which can be exploited to accomplish remote code execution, two security feature bypass vulnerabilities that relate to improper enforcement of Access Control Policies in SharePoint, and an ASLR bypass vulnerability in Office. There are no identified mitigations or workarounds for any of these vulnerabilities.

The update fixes the problems by changing the way Office handles objects in memory and ensuring that Office implements the ASLR security mechanism correctly, and makes sure SharePoint enforces the ACP settings that have been configured.

MS16-005 (KB3124584) This is an update for a pair of memory-handling vulnerabilities in the kernel mode drivers in Windows. It applies to all currently supported versions of Windows: Vista, 7, 8/8.1, RT and RT 8.1, 10, and Server 2008, 2008 R2, 2012 and 2012 R2. This includes server core installations.  It is rated critical for all except Windows 8/8.1, RT/RT8.1 and 10 and Server 2012/2012R2, for which it’s rated important.

The update addresses two vulnerabilities. One is an ASLR bypass issue in the GDI32.dll component by which Windows’ graphics device interface’s handling of objects in memory could be exploited by an attacker via a web-based scenario, a maliciously crafted email message or Office document attachment, or a malicious file hosted on a network share or otherwise shared with the targeted victim. The second vulnerability is a memory handling issue that could be exploited to accomplish remote code execution. There are no identified mitigations or workarounds for either of these.

The update fixes the problems by changing the way Windows handles objects in memory.

MS16-006 (KB3126036) This is an update for the Silverlight application framework designed to plug into the web browser for delivery of rich application and media content on the Web. It applies to Silverlight 5 and Silverlight 5 Developer Runtime installed on Mac and all supported versions of Windows client and server operating systems. It is rated critical for all affected operating systems.

The update addresses a single vulnerability that is related to decoding of strings using a malicious decoder, and it could be exploited by an attacker by causing Silverlight to replace unsafe object headers with the contents the attacker provides. This could allow the attacker to take control of the system if the user is logged on as an admin. There are no identified mitigations or workarounds for the vulnerability.

The update fixes the problem by changing the way Silverlight validates decoder results.

Important

MS16-007 (KB3124901) This is an update that fixes multiple vulnerabilities of different types in Windows. It affects all currently supported versions of the Windows operating system: Vista, 7, 8/8.1, RT/RT8.1, 10 and Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It is rated important for all affected systems.

The update addresses six vulnerabilities. These include two DLL loading elevation of privilege vulnerabilities, a heap corruption vulnerability in DirectShow that could be exploited to accomplish remote code execution, two DDL loading remote code execution vulnerabilities, and a security bypass vulnerability in Windows Remote Desktop Protocol (RDP) that can be exploited by using an older version of the RDP client to connect to a Windows 10 remote desktop host. There are no identified mitigations or workarounds for any of these vulnerabilities.

The update fixes the problems by changing the way Windows validates input before it loads Dynamic Link Library files, changing the way user input is validated by DirectShow and enforcing the (default) setting to not allow accounts to log on remotely without a password.

MS16-008 (KB3124605) This is an update for two vulnerabilities in the Window kernel. It affects all currently supported versions of the Windows operating system: Vista, 7, 8/8.1, RT/RT8.1, 10 and Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It is rated important for all affected systems.

The update addresses a pair of vulnerabilities, both of which are elevation of privilege issues that have to do with Windows mount points (reparse points). The problem occurs when Windows validates the reparse points set by sandbox applications. The good news is that an attacker would have to be able to log onto the system in order to exploit the vulnerabilities. There are no identified mitigations or workaround for either of them.

The update fixes the problem by changing the way Windows handles the creation of mount points in certain circumstances.

MS16-010 (KB3124557) This is an update for Microsoft’s Exchange Server mail server. It affects the two most recent versions, Exchange 2013 (with SP1, CU 10 and CU 11) and 2016, and it is rated important for all of the affected software.

The update addresses four vulnerabilities, all of which are spoofing vulnerabilities that occur in Microsoft Outlook Web Access (OWA) when it doesn’t handle web requests properly. These could be exploited by an attacker by sending a specially crafted email message that contains a malicious link or by convincing the targeted victim to click on a malicious link in a chat session. There is a mitigating factor in that the attacker would have to be an authenticated Exchange user, and the victim would have to be convinced to take action and click the link. No workarounds have been published.

The update fixes the problem by changing the way OWA validates web requests and making sure that user input and email content are sanitized properly.