vege - Fotolia

January 2016 Patch Tuesday: Address-spoofing patch starts the new year

Microsoft's January 2016 Patch Tuesday started the year with the IE end of life for older versions of the browser and an important address-spoofing patch.

Microsoft released its January 2016 Patch Tuesday fixes today, with nine total bulletins, including six that patched critical remote code execution vulnerabilities, as well as the last batch of patches for older versions of Internet Explorer.

Despite there being six critical bulletins to choose from, experts saw a bulletin rated only as important -- MS16-010 -- as the one that should be at the top of the patch priority list for enterprises. The bulletin resolves vulnerabilities in the Microsoft Exchange Server that could lead to address spoofing if Outlook Web Access fails to properly handle Web requests, and sanitize user input and email content.

According to Bobby Kuzma, CISSP and systems engineer for Boston-based Core Security, this patch is important "because of the variety of spoofing and masquerade options it gives an attacker. If organizations are relying solely on passwords for authentication without a second factor, they're more vulnerable to redirection-based phishing and similar attacks."

Craig Young, security researcher for Tripwire's Vulnerability and Exposure Research Team, noted that this patch could prevent attacks that are potentially very costly.

"This patch closes three vulnerabilities that could lead to significant and direct financial losses through so-called business email compromise (BEC)," Young said. "According to the FBI, BEC has cost businesses around the world upwards of $1.2 billion. This type of attack tends to rely on the ability of an attacker to convince a victim that emails came from someone else within the firm in a position of authority. The ability to make phishing emails legitimately appear to come from an internal address is a tremendous advantage for attackers."

MS16-001 and MS16-002 are the cumulative bulletins for Internet Explorer (IE) and Microsoft Edge, respectively. Importantly, this marks the IE end of life for older versions of the browser. Internet Explorer 8 is being retired for all systems, while Windows Vista SP2 and Windows Server 2008 SP2 will still receive security updates for IE 9 and 10, and Windows Server 2012 users will still get security updates for IE 10.

Young warned enterprises that attackers have likely been waiting for this end of life and will be targeting older versions of IE as new vulnerabilities are reported.

"It is safe to assume that cybercriminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analyzing future IE 11 updates," Young said. "Rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions."

According to Tim Erlin, director of IT security and risk strategy for Tripwire, there are no excuses for not carrying out browser updates.

"Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11," Erlin said. "For applications that aren't ready in time, IE 11 offers a compatibility mode, which should provide an interim solution until those applications are modernized. If you don't have a transition plan in place yet, now is the time to put one in place -- the longer older versions of IE are unsupported, the more attackers will target them."

In addition to the IE end of life, Windows 8 will also no longer receive updates after today. According to Microsoft, users must update to Windows 8.1 in order to continue receiving security patches.

MS16-005 is a bulletin that should be a priority for enterprises running Windows Vista, Windows 7 or Server 2008, according to Qualys CTO Wolfgang Kandek. The patch resolves vulnerabilities in the Windows kernel-mode drivers that could allow remote code execution if a user visits a malicious website. The vulnerabilities are either not applicable or are rated only important on Windows 8 and 8.1, Windows 10, and Windows Server 2012.

MS16-004 addresses vulnerabilities in all supported versions of Microsoft Office. The most critical vulnerability in the bulletin resolves a memory corruption flaw, which could allow remote code execution if a user opens a specially crafted Microsoft Office file.

MS16-003 targets a vulnerability in the VBScript scripting engine in Microsoft Windows. According to Microsoft, if a user visits a specially crafted website, an attacker could gain the same user rights as the current user. If a user who logged on with administrative user rights is exploited, an attacker would be able to install programs; view, change or delete data; or create new accounts with full user rights. This bulletin only affects those using Windows Vista or Windows Server 2008.

MS16-006 is the final critical vulnerability for the month, and addresses a vulnerability in Microsoft Silverlight that could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. Microsoft did note that attackers cannot force a user to the malicious website, and would instead have to trick the user into visiting the page.

MS16-007 and MS16-008 round out the January Patch Tuesday with important bulletins that address vulnerabilities in Windows. MS16-007 resolves a vulnerability in Windows, and MS16-008 resolves vulnerabilities in the Windows kernel that could allow either remote code execution or elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

MS16-009 was skipped this month. Experts assume it was for further testing.

Next Steps

April 2016 Patch Tuesday has patch for the "overhyped" Badlock.

Catch up on the December 2015 Patch Tuesday news here.

Font handling strikes again in November 2015 Patch Tuesday updates.

No zero-day exploits in October 2015 Patch Tuesday updates.

Dig Deeper on Microsoft Patch Tuesday and patch management