frenta - Fotolia

April 2016 Patch Tuesday: Badlock isn't a priority

Microsoft's April 2016 Patch Tuesday includes a patch for Badlock, a vulnerability which experts call "overhyped," but the most important patches may need extra care to apply.

Microsoft released its April 2016 Patch Tuesday fixes today, which included 13 total bulletins, six of which warranted a critical rating. One of the more hyped patches, Badlock, was not rated critical and experts said it shouldn't be at the top of an enterprise priority list.

The bulletin that experts said enterprise should take care to install is MS16-039 which targets vulnerabilities in the Microsoft Graphics Component and affects Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution (RCE) if a user opens a specially crafted document or visits a web page that contains specially crafted embedded fonts.

According to Lane Thames, security researcher from the Tripwire Vulnerability and Exposure Research Team, this patch is "one of the more complicated security bulletins this month."

"These vulnerabilities exist at the OS level as well as across various applications. The vulnerabilities affect OS versions from Vista through Windows 10 along with Server 2008 through Server 2012 R2. This is a good time to remind users and organizations that these OS versions are just the supported versions. Other unsupported versions, such as Windows 8, are highly likely to be affected too," Thames said. "In some cases, there are prerequisites that must be met before installing the patch or for the patch being applicable. There's a lot to understand for this bulletin, so administrators should take a few extra minutes to study its details."

Wolfgang Kandek, chief technology officer at Qualys Inc., said this bulletin needs to be a top priority because "two zero-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator."

Kandek also highly rated bulletin MS16-042, which addresses four vulnerabilities in Microsoft Office. One of these flaws is rated critical, meaning it "can be attacked directly without user interaction," according to Kandek.

"Indeed, CVE-2016-0127 is a remote code execution vulnerability in the RTF file format, which is visualized automatically in the Outlook preview pane and can give the attacker RCE with a simple e-mail," Kandek said. "If can afford it, harden your setup by outlawing RTF e-mails. You can turn them off with the Office File Block Policy, which works across 2007/2010 and 2013."

Although it isn't a critical vulnerability, Tripwire experts also singled out MS16-049, which addresses a denial-of-service vulnerability targeting HTTP.sys on Windows 10.

"An interesting bulletin which caught my attention is the HTTP.sys patch due to the fact that it involves an HTTP/2 protocol request," said Craig Young, security researcher from the Tripwire Vulnerability and Exposure Research Team. "This is the first server-side vulnerability disclosure I have seen affecting HTTP/2 making it very interesting. While Microsoft has indicated it is less likely to be exploited in the near future, the fact that many admins may be unaware of HTTP/2 support in IIS demonstrates the importance of regular network scanning to understand what protocols and services an attacker may exploit on your network."

Thames said this bulletin could be the first of many for the HTTP/2 protocol.

"New protocols are sometimes tricky to implement, so it is not surprising to see a vulnerability in a new protocol stack. The question is how many more vulnerabilities will be discovered in the months to come now that the cat is out of the bag with MS16-049," Thames said. "Reverse engineers will likely be using this vulnerability as a case study to understand the Microsoft HTTP 2.0 implementation."

MS16-047 is the bulletin which pertains to the much hyped Badlock vulnerability, which Microsoft said could allow elevation of privilege if an attacker launches a man-in-the-middle attack. An attacker could then force a downgrade of the authentication level of the Security Accounts Manager and Local Security Authority (Domain Policy) channels and impersonate an authenticated user.

"Administrators should certainly install MS16-047 and employ defense mechanisms on their networks to limit the chances of a man-in-the-middle attacker on the LAN, but this is not at all on the same level of severity as Shellshock or Heartbleed and did not warrant several weeks of advance notice," Young said. "The ability for a man-in-the-middle attacker to wreak havoc on a network has been well documented since before the days when network hubs were displaced in favor of switches. The top priority for Windows administrators should be to protect against vulnerabilities that can be exploited through websites or documents."

MS16-050 covers a critical vulnerability in the Adobe Flash Player on all supported versions of Windows. The patch works by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

Critical bulletins MS16-037 and MS16-038 are the regularly scheduled entries for Internet Explorer and the Microsoft Edge browsers, respectively. Each cumulative update includes patches for six vulnerabilities, which Kandek noted was the first time each browser had the same number of vulnerabilities. Kandek also said this month is the first time Edge has more serious flaws than IE.

The final critical bulletin for the month is MS16-040, which addresses an RCE vulnerability in the XML Core subsystem. However, Microsoft notes that "in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message."

In terms of the bulletins rated as important, three could result in remote code execution. MS16-041 covers a vulnerability in the .NET framework but requires local system access. MS16-044 addresses a vulnerability in Windows OLE if the attacker can convince the user to open a specially crafted file or webpage. And, MS16-045 fixes vulnerabilities in Windows Hyper-V, but only those who have Hyper-V enabled would be affected.

Finally, MS16-046 targets an elevation of privilege vulnerability in the Windows Secondary Logon system and MS16-048 resolves a security feature bypass vulnerability in the Windows client/server runtime subsystem.

Enterprises should also take note that MS16-043 is missing from this Patch Tuesday release, so there is a possibility of an out-of-band update coming from Microsoft before next month's scheduled release.

Next Steps

Catch up on the March 2016 Patch Tuesday news.

Learn if Microsoft Office 2016 is reliable enough for enterprise.

Read about how vulnerability branding may be just another marketing tool.

Dig Deeper on Microsoft Patch Tuesday and patch management