Microsoft released its March 2016 Patch Tuesday fixes today, which included 13 bulletins -- five of which are rated...
critical. Experts said no bulletins address vulnerabilities in complex environments, although all patches should be made as soon as possible.
"System administrators will be relieved that the March bulletin should be generally straightforward, as it does not contain patches for any of the typically complex environments, such as Exchange and SharePoint," said Craig Young, security researcher at Tripwire Inc., based in Portland, Ore. "While it is still imperative that users deploy the patches as soon as possible, it is nice to see that none of the issues fixed this month were publicly disclosed or exploited ahead of the patch drop."
Experts said the top priority for patching should go to MS16-023, the standard cumulative Internet Explorer (IE) patch bulletin, and MS16-024, which covers patches for the newer Microsoft Edge browser.
Wolfgang Kandek, CTO at Qualys Inc., in Redwood City, Calif., put IE patches at the top of his list, because all 13 patches in the bulletin are rated critical. "Exploitation of these critical vulnerabilities yields the most dangerous result: remote code execution (RCE), which gives the attacker complete control over the target's machine," Kandek wrote in a blog post.
Kandek noted that Windows 10 security is at risk in the Edge bulletin, because it contains 11 bulletins -- 10 of which are rated critical.
"[This shows] that security researchers have been focusing their attention on Edge, which has slowly lost ground on Internet Explorer in terms of vulnerabilities: In December 2015, we were still 30 [IE vulnerabilities] to 15 [for Edge] versus now in March at 13 to 11," Kandek said.
However, Windows 10 security was also shown to have benefits in mitigating the risks of MS16-026, which takes care of yet another vulnerability related to Windows font handling that could lead to remote code execution.
"Although all of the affected operating systems are prone to denial-of-service [attacks] or code execution as a result of CVE-2016-0120 and CVE-2016-0121, respectively, Microsoft notes that the impact is not actually the same for Windows 10 systems, compared with the older OS versions," Young said. "In the case of the DoS attack, the Windows 10 architecture manages to limit the attack to a single affected application, rather than the entire system. In the case of the code execution bug, an attacker might be able to take complete control over the system, as opposed to under Windows 10, where code execution happens within an AppContainer sandbox process having limited privileges."
Young chose MS16-033, which addresses a flaw in Windows allowing for elevation of privilege if an attacker with physical access inserts a specially crafted USB device into the system, as the most interesting bulletin this month. Young said despite the requirement of physical access to the target machine, the results could be more serious than the "important" rating implies.
"What is interesting about this one is that the malicious USB device could be used to exploit even locked workstations, where an attacker has temporary physical access," Young said. "Another big difference is that since MS16-033 is a driver vulnerability, it gives the attacker a direct path to code execution within the kernel, as opposed to in the context of a logged-in user."
Bulletins MS16-027, MS16-028 and MS16-029 are all critical bulletins resolving RCE vulnerabilities in commonly used software -- Windows Media Player, Windows PDF Library and Microsoft Office, respectively -- and should be prioritized if a user opens specially crafted media content hosted on a website.
"The continuous stream of vulnerabilities in these areas indicates just how complex the media formats are that we deal with every day," Kandek said.
The remaining bulletins address important vulnerabilities and should be handled as schedules permit, experts said. MS16-025 bulletin takes care of an important flaw in how Windows validates libraries, which could lead to remote code execution. MS16-028 patches flaws in the Windows PDF Library that could lead to RCE if a user opens a malicious PDF. MS16-030 covers RCE vulnerabilities, which could be exploited if the Windows OLE framework fails to properly validate user input. MS16-031, MS16-032 and MS16-034 all resolve elevation of privilege vulnerabilies in Windows, Windows Secondary Logon Service and the Windows Kernel-Mode drivers, respectively. And MS16-035 fixes a security feature bypass flaw in the .NET Framework component that does not properly validate certain elements of a signed XML document.
Catch up on the February 2016 Patch Tuesday news.