Pavel Ignatov - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

February 2016 Patch Tuesday: IE Flash vulnerabilities get a bulletin

Microsoft's February 2016 Patch Tuesday release goes after Adobe Flash vulnerabilities and more Windows Journal flaws.

Microsoft released its February 2016 Patch Tuesday fixes today for a total of 13 bulletins, six of which are rated critical, including Adobe Flash vulnerabilities finally getting a standalone bulletin.

MS16-022 includes patches for 22 Adobe Flash vulnerabilities in the Flash libraries that are built-in to Internet Explorer. All of the flaws are rated critical and affect Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

According to Qualys CTO Wolfgang Kandek, the updates for these libraries have been handled by Microsoft for the past three and a half years and tracked under a single security advisory, but this is the first time the patches have been included with the Patch Tuesday release.

"Attack scenarios vary from compromised, but otherwise innocent websites that link to malicious attacker controlled domains to Flash embedded in other files such as Office documents, which targets access through e-mail. In addition attackers have shown last year that they invest into Flash based attacks, so this bulletin is on our top spot," Kandek wrote. "None of the vulnerabilities described is in the use in the wild, but many are rated as easily exploitable by both Microsoft and Adobe, so you should address them quickly."

MS16-013 addresses a vulnerability that could allow remote code execution (RCE) if a user opens a specially crafted Journal file, though Microsoft notes that accounts with fewer rights will be impacted less by this flaw.

Kandek noted that mitigating risk should be easy, because "a malicious file with extension .JNL needs to be opened by the user to trigger the vulnerability. Under Windows 7, one can disassociate the file extension from the application and neuter the attack."

Craig Young, security researcher at Tripwire, based in Portland, Ore., said this is a bulletin to watch because this "marks the twelfth RCE bug Microsoft is patching in Windows Journal in just 10 months."

"This is particularly interesting because before 2015, Windows Journal vulnerabilities were basically unheard of. While the increased scrutiny of Windows Journal may be an indication of Microsoft's successes in the tablet space, it is important to remember that the flaw is not limited to tablets," Young said. "In fact every piece of software installed on a computer adds to the potential attack surface even if that software is not frequently used."

MS16-011 includes patches for six vulnerabilities in the Microsoft Edge browser on Windows 10, four of which are critical. But, more important is MS16-009, the monthly bulletin for vulnerabilities in Internet Explorer which experts agree should always be near the top of the priority list for enterprise. The bulletin includes patches for 13 vulnerabilities, seven of which are rated critical.

"Exploitation of these vulnerabilities would be through the web browsing, leading to the access of malicious websites either directly, or through search engine poisoning attracting your user to the specifically prepared website, or through the compromise of an otherwise legitimate site or even by inclusion in an advertising network," Kandek wrote. "This attack vector is one of the largest in your organization and we recommend patching these vulnerabilities as quickly as possible."

Lane Thames, security researcher at Tripwire, also noted that this bulletin should be a reminder for organizations still running vulnerable versions of IE that support has been discontinued for those products.

"Today becomes game day for reverse engineers and exploit kit developers who will be analyzing the February IE patches that are being provided by MS16-009 in order to write exploits that target IE7 and IE8 users," Thames said. "Users of these now highly vulnerable browsers should exercise extreme caution and plan to upgrade their systems as soon as possible. Enterprise organizations that require these browsers due to legacy applications must ensure that these systems do not have access to external or untrusted websites."

Bulletin MS16-015 addresses vulnerabilities in Microsoft Office, the most severe of which could allow remote code execution if a user opens a specially crafted Microsoft Office file.

Kandek noted that three of the vulnerabilities included are very dangerous because they "are all RTF file format vulnerabilities and can be triggered without user interaction through the preview pane in Outlook."

Kandek said he was surprised that Microsoft didn't offer mitigating factors but said setting e-mail to be read in plain text in Outlook or disabling RTF files in Microsoft Word through the File Block Policy should mitigate risk.

MS16-012 is the final critical bulletin for the month and addresses vulnerabilities in Windows that could allow remote code execution if the Windows PDF Library improperly handles API calls, which could allow an attacker to run arbitrary code on the user's system. Microsoft noted that attackers would not be able to force a user to download a malicious PDF.

PDF Reader is only available under Windows 8.1, 10 and Server 2012 which lowers the risk, but experts noted that this is the first bulletin for this software and likely won't be the last.

Although not rated critical, bulletin MS16-018 could be high on the priority list for some enterprises. The bulletin includes patches for vulnerabilities in the Windows Kernel-mode drivers which could allow for an elevation of privilege attack if an attacker logs on to an affected system and runs a specially crafted application.

Bobby Kuzma, CISSP and systems engineer at Core Security based in Boston, Mass., said this bulletin is worrying because the affected systems listed go "all the way back to Windows Vista, so it's highly likely that the venerable XP is also vulnerable."

MS16-020 addresses a vulnerability in Active Directory Federation Services which could lead to a denial-of-service attack.

Tyler Reguly, security research manager at Tripwire, said this could hamper enterprises that are trying to roll out two-factor authentication.

"Active Directory Federation Services has seen increased usage across enterprises rolling out two-factor authentication," Reguly said. "The vulnerability fixed in MS16-020 could mean increased downtime for said enterprises. This should likely rank high on the list of bulletins that enterprises will want to quickly test and deploy."

Rounding out the bulletins rated as important in the February Patch Tuesday release, MS16-014 addresses vulnerabilities in Windows that could lead to remote code execution. MS16-016 and MS16-017 address vulnerabilities in WebDav and Remote Desktop Protocol, respectively, which could lead to elevation of privilege attacks. And, MS16-019 and MS16-021 take care of vulnerabilities in the .NET framework and Network Policy Server, respectively, which could lead to denial-of-service attacks.

Next Steps

April 2016 Patch Tuesday covers Badlock.

Catch up on the January 2016 Patch Tuesday news here.

Learn more about whether search engine poisoning is an issue for Bing users.

Learn how various features influence Office 2016 security.

Dig Deeper on Microsoft Patch Tuesday and patch management