Microsoft released its May 2016 Patch Tuesday fixes today, which included 16 total bulletins, eight of which were...
rated critical. One patch stands out among the rest because it concerns an IE zero day that Microsoft admits is being actively exploited in the wild.
Bulletin MS16-051 is the cumulative security update for Internet Explorer, at the top of the priority scale in this Patch Tuesday release, but one vulnerability in particular (CVE-2016-0189) requires immediate patching. Microsoft describes the issue as a remote code execution vulnerability in the way that the JScript and VBScript engines render when handling objects in memory, which could allow an attacker to gain the same rights as the targeted user.
The IE zero day affects Internet Explorer versions 9 through 11 on all supported versions of Windows clients. Windows Server versions are partially protected by IE running in the Enhanced Security Configuration restricted mode.
If this patch cannot be applied right away, Microsoft suggested a workaround to restrict access to VBScript.dll and JScript.dll in order to help protect against an exploit until the patch can be installed.
Wolfgang Kandek, CTO at Qualys, noted that MS16-053 is related to this IE zero-day vulnerability, which contains patches for JScript and VBScript directly.
MS16-052 includes patches for four critical vulnerabilities in the Microsoft Edge browser for Windows 10, but none are being actively exploited like the IE zero day.
Karl Sigler, threat intelligence manager at Trustwave, said admins should also prioritize bulletin MS16-064, which includes critical patches for Adobe Flash that affect all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.
"Since Flash is embedded in Microsoft's IE and Edge browsers, Microsoft started including Adobe patches as a part of their own patch cycle last month," Sigler said. "These vulnerabilities in Flash are rated critical and it's surely just a matter of time before they get imported into popular exploit kits."
Lane Thames, security researcher from the Tripwire Vulnerability and Exposures Research Team (VERT), suggested that IT administrators take note of the server-side application flaws in bulletins MS16-058 and MS16-054.
MS16-058 addresses an important DLL loading vulnerability in Windows IIS and MS16-054 contains security fixes for Microsoft Office, including a critical flaw in handling embedded fonts that affects Word Automation Services in SharePoint Server 2010 and Office Web Apps 2010.
"When it comes to server-side applications, administrators are always faced with critical timing issues. On the one hand, server-side applications are usually accessible remotely over the Internet and these systems often interface with an organization's critical data. These two points alone make server-side applications such as IIS and SharePoint valuable targets for attackers who, consequently, scramble to write exploits against these vulnerabilities as soon as Microsoft releases its patches," Thames said. "On the other hand, patches for server-side applications need to be thoroughly tested before deployment. A faulty patch installation can cause as much and possibly more damage than an attacker."
The final critical bulletins for the month are MS16-055, MS16-056 and MS16-057, which target vulnerabilities in the Microsoft Graphics Component, Windows Journal and Windows Shell, respectively. Each could allow for remote code execution and should be installed as soon as possible.
One of the the important bulletins, MS16-061, was notable: The bulletin remediates a flaw in handling Remote Procedure Call (RPC) requests affecting all supported versions of Windows and could allow an unauthenticated attacker to gain control of unpatched systems.
Craig Young, security researcher for Tripwire VERT, said that although Microsoft rated the flaw as less likely to be exploited, "the potential for abuse on this one is enormous."
"While the Windows firewall does not expose this service by default, there are many instances where network operators will open up access to allow administrative tools to operate and enable critical network functionality," Young said. "Fortunately there is generally no reason to have RPC exposed on the Internet, but an attacker who has already gained basic access to a LAN could potentially use this to gain access to not only workstations but also to critical infrastructure like Active Directory domain controllers."
Rounding out the rest of the important bulletins for the month are MS16-059, which covers a remote execution vulnerability in Windows Media Center; MS16-060 and MS16-062, which handle elevation of privilege flaws in the Windows Kernel and Kernel-Mode Drivers, respectively; MS16-065 and MS16-067, which fix information disclosure bugs in the .NET framework and Volume Manager Driver; and MS16-066, which patches a security bypass issue in the Windows Virtual Secure Mode.
Each of these patches should be installed during normal patch cycles.
Last month's release skipped MS16-043, which still has not been released, and Tyler Reguly, manager of Tripwire VERT, noted that once again the Patch Tuesday release is also missing a bulletin, MS16-063.
"One of the more interesting items this month is the pulled Microsoft Exchange patch. It was briefly released as MS16-063 and now appears to be pulled with just the text 'Content Placeholder' appearing on the bulletin page," Reguly said. "The bulletin stated that it fixed three Oracle Outside In elevation of privilege vulnerabilities and an information disclosure related to the exchange parsing of HTML messages, specifically image URLs loaded by Outlook Web Access users. It will be interesting to see if this bulletin reappears today or if we'll have to wait for next month."
Catch up on the April 2016 Patch Tuesday news.
Learn about more font handling issues in Windows.