March 2016 Patch Tuesday highlights Windows 10 security

Microsoft's March 2016 Patch Tuesday release has put Windows 10 security on display for good and bad, experts say.

Microsoft released its March 2016 Patch Tuesday fixes today, which included 13 bulletins -- five of which are rated...

critical. Experts said no bulletins address vulnerabilities in complex environments, although all patches should be made as soon as possible.

"System administrators will be relieved that the March bulletin should be generally straightforward, as it does not contain patches for any of the typically complex environments, such as Exchange and SharePoint," said Craig Young, security researcher at Tripwire Inc., based in Portland, Ore. "While it is still imperative that users deploy the patches as soon as possible, it is nice to see that none of the issues fixed this month were publicly disclosed or exploited ahead of the patch drop."

Experts said the top priority for patching should go to MS16-023, the standard cumulative Internet Explorer (IE) patch bulletin, and MS16-024, which covers patches for the newer Microsoft Edge browser.

Wolfgang Kandek, CTO at Qualys Inc., in Redwood City, Calif., put IE patches at the top of his list, because all 13 patches in the bulletin are rated critical. "Exploitation of these critical vulnerabilities yields the most dangerous result: remote code execution (RCE), which gives the attacker complete control over the target's machine," Kandek wrote in a blog post.

Kandek noted that Windows 10 security is at risk in the Edge bulletin, because it contains 11 bulletins -- 10 of which are rated critical.

"[This shows] that security researchers have been focusing their attention on Edge, which has slowly lost ground on Internet Explorer in terms of vulnerabilities: In December 2015, we were still 30 [IE vulnerabilities] to 15 [for Edge] versus now in March at 13 to 11," Kandek said.

However, Windows 10 security was also shown to have benefits in mitigating the risks of MS16-026, which takes care of yet another vulnerability related to Windows font handling that could lead to remote code execution.

Experts recently noted that Windows font-handling flaws have become a staple of the monthly Patch Tuesday releases, but Young said enhanced Windows 10 security measures are making a difference.

"Although all of the affected operating systems are prone to denial-of-service [attacks] or code execution as a result of CVE-2016-0120 and CVE-2016-0121, respectively, Microsoft notes that the impact is not actually the same for Windows 10 systems, compared with the older OS versions," Young said. "In the case of the DoS attack, the Windows 10 architecture manages to limit the attack to a single affected application, rather than the entire system. In the case of the code execution bug, an attacker might be able to take complete control over the system, as opposed to under Windows 10, where code execution happens within an AppContainer sandbox process having limited privileges."

Young chose MS16-033, which addresses a flaw in Windows allowing for elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system, as the most interesting bulletin this month. Young said despite the requirement of physical access to the target machine, the results could be more serious than the "important" rating implies.

"What is interesting about this one is that the malicious USB device could be used to exploit even locked workstations, where an attacker has temporary physical access," Young said. "Another big difference is that since MS16-033 is a driver vulnerability, it gives the attacker a direct path to code execution within the kernel, as opposed to in the context of a logged-in user."

Bulletins MS16-027, MS16-028 and MS16-029  are all critical bulletins resolving RCE vulnerabilities in commonly used software -- Windows Media Player, Windows PDF Library and Microsoft Office, respectively -- and should be prioritized if a user opens specially crafted media content hosted on a website.

"The continuous stream of vulnerabilities in these areas indicates just how complex the media formats are that we deal with every day," Kandek said.

The remaining bulletins address important vulnerabilities and should be handled as schedules permit, experts said. MS16-025 bulletin takes care of an important flaw in how Windows validates libraries, which could lead to remote code execution. MS16-028 patches flaws in the Windows PDF Library that could lead to RCE if a user opens a malicious PDF. MS16-030 covers RCE vulnerabilities, which could be exploited if the Windows OLE framework fails to properly validate user input. MS16-031, MS16-032 and MS16-034 all resolve elevation of privilege vulnerabilies in Windows, Windows Secondary Logon Service and the Windows Kernel-Mode drivers, respectively. And MS16-035 fixes a security feature bypass flaw in the .NET Framework component that does not properly validate certain elements of a signed XML document.

Next Steps

Catch up on the February 2016 Patch Tuesday news.

Learn how USB-connected devices could present cyber vulnerabilities.                                            

Learn how to cope with new Windows 10 security patch issues.

Dig Deeper on Security patch management and Windows Patch Tuesday news

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which patch is most important for your organization?
Cancel
Except you will have to check to ENSURE that on Windows 7 you will have check that Microsoft DONT sneak in any WIN10 NAGS, always a problem they cannot be trusted. (found 3 in my lists)
Cancel
We can only be grateful that Microsoft didn't go into.... Oh wait, most services are run on Windows software and the very thought is terrifying.  While I fully expect yet another patch to patch yet another breach, I have little confidence it'll come on time. When the hackers have all the data they want and all the money they need, I fear they'll turn to their own amusement. And that's really won't be pretty.
Cancel
I don't know why people are so surprised about security updates.  If nothing else this is proof of the longevity and short sightedness of those who think they can completely test any product.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close