by Debra Littlejohn Shinder
If you were hoping for a light load of patches this month, you're in the same boat as those folks who were hoping for a light rain in Houston last month. Instead, we got a deluge. Microsoft released a whopping sixteen patches on May 10, most of them for Windows. Eight are rated as critical, with ten of them exploitable for the purpose of remote code execution. In addition, there are several elevation of privilege and information disclosure vulnerabilities in the mix, along with one security bypass issue.
It makes for a hefty slate of updates – and when it comes to patches, "the more the merrier" definitely doesn't apply. IT pros dread heavy patch days not just because of the extra time involved in testing and applying the patches, but also because the more there are, the more chance there is that one or more will have a bug or conflict with some configuration or installed software and result in more hours of troubleshooting and system down time.
But it is what it is, so now let's take a look at each of these patches in more detail. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms16-May
If you are using GFI LanGuard to help you automate your patching requirements you can click here for more information about the added support for the below security updates: http://www.gfi.com/lannetscan/msfullreport.asp
Critical
MS16-051 (KB 3155533) This is the usual monthly cumulative update for Internet Explorer that applies to IE 9, 10 and 11 (all supported versions) on all supported versions of Windows. It is rated critical for client operating systems and moderate for servers, and of course doesn't apply to server core installations that don't run a web browser.
The update addresses five vulnerabilities, all of which are capable of remote code execution exploit except one, which is an information disclosure issue. Three deal with memory corruption and one with bypass of IE security in the User Mode Code Integrity component of Device Guard.
The update fixes the problems by correcting the way JScript and VBScript engines handle objects in memory and the way IE validates code integrity as well as improving validation of file access permissions.
MS16-052 (KB 3155538) This is the usual monthly cumulative update for the Microsoft Edge browser on Windows 10 (including version 1511) and is rated critical.
The update addresses four memory corruption vulnerabilities that can result in remote code execution. Three are in the scripting engines and one is a browser memory corruption issue.
The update fixes the problems by correcting the way Microsoft Edge and the Chakra JavaScript engine handle objects in memory.
MS16-053 (KB 3156764) This is an update for the JScript and VBscript scripting engines in Windows and affects Vista and Server 2008, including the server core installation. It is rated critical.
The update addresses a pair of memory corruption vulnerabilities in the scripting engines that can be exploited to accomplish remote code execution. There is a workaround that can be used to restrict access to JScript.dll and VBScript.dll via administrative command line if you are unable to apply the update.
The update fixes the problem by changing the way the scripting engines handle objects in memory.
MS16-054 (KB 3155544) This is an update for Microsoft Office that affects supported versions of Office applications including Office 2007, 2010, 2013 and 2013 RT, 2016, Office for Mac 2011 and 2016 as well as the Office compatibility pack SP3, Word Viewer, Office Web Apps 2010 and SharePoint Server 2010. It is rated critical for all. Some configurations of Office 2010, however, will not be offered the update.
This update addresses four vulnerabilities, three of which are memory corruption issues and one of which is a graphics/embedded font handling vulnerability that can result in remote code execution. There is a published workaround that involves editing the registry and is fully described in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-054.aspx.
The update fixes the problems by correcting the way Office handles objects in memory and the way that the Windows font library handles embedded fonts.
MS16-055 (KB 3156754) This is an update for the Microsoft Graphics component in Windows. It affects all supported versions of Windows, both client and server operating systems. It is rated critical for all.
This update addresses five different vulnerabilities in Windows, two of which are information disclosure vulnerabilities, one that is a graphics component remote code execution issue, one use-after-free vulnerability and a memory corruption vulnerability. There are workarounds for some of the vulnerabilities, which involve editing the registry and are described fully in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-055.aspx.
The update fixes the problems by correcting the way the Windows Imaging component and the GDI component handle objects in memory.
MS16-056 (KB 3156761) This is an update for Windows Journal in all supported versions of the Windows client operating system (Vista, 7, 8.1/RT 8.1, and 10). It is rated critical for all.
The update addresses a single memory corruption vulnerability in the Journal component that can result in remote code execution when an attacker creates a specially crafted Journal file and convinces the user to open the file.
The update fixes the problem by changing the way Windows Journal parses Journal files.
MS16-057 (KB 3156987) This is an update for the Windows Shell that affects Windows 8.1, RT 8.1 and 10 as well as Server 2012 R2. It is rated critical for all.
The update addresses a single vulnerability in the Shell that can be exploited to accomplish remote code execution if users visit a website that has been compromised with specially crafted content.
The update fixes the problem by changing the way the Windows Shell handles objects in memory.
MS16-064 (KB 3157993) This is an update for Adobe Flash Player in IE 10 and 11 and in Microsoft Edge, running on Windows 8.1/RT 8.1, Windows 10 and Server 2012/2012 R2. It is rated critical for all affected systems.
The update addresses 24 vulnerabilities in the Flash Player that are described in more detail in Adobe's security bulletin at http://helpx.adobe.com/security/products/flash-player/apsb16-15.html. Some of these can be exploited to accomplish remote code execution. There are a couple of published workarounds that involve editing the registry to prevent Adobe Flash from running or using Group Policy to do so. The instructions for implementing the workarounds can be found in the Microsoft security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-064.aspx.
The update fixes the problems by making changes to Adobe Flash Player.
Important
MS16-058 (KB 3141083) This is an update for the Internet Information Services (IIS) web server component in certain versions of Windows. It affects only Windows Vista and Server 2008, including the server core installation. It is rated Important for all.
The update addresses a single DLL loading vulnerability that can be exploited to accomplish remote code execution; however, an attacker would have to have access to the local system in order to exploit it, thus the important rating rather than critical.
The update addresses the vulnerability by changing the way Windows validates input when it loads certain libraries.
MS16-059 (KB 3150220) This is an update for Windows Media Center in Vista, Windows 7 and Windows 8.1. WMC is not supported on Windows 10. It is rated Important for all affected systems.
The update addresses a single remote code execution vulnerability that would require the user to open a specially crafted .mcl file after navigating to a compromised web site hosting the malicious .mcl file. There is a workaround that involves editing the registry to remove the MCL file association. The instructions for doing so are found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-059.aspx
The update fixes the problem by changing the way Windows Media Center handles certain resources in the .mcl file.
MS16-060 (KB 3154846) This is an update for the Windows kernel that applies to all supported versions of Windows client and server operating systems, including the server core installations. It is rated Important for all affected systems.
The update addresses one vulnerability in the Windows kernel stemming from incorrect parsing of symbolic links that could be exploited to result in an elevation of privilege. However, an attacker would have to be able to log onto the system in order to exploit it, and then run a specially crafted application.
The update fixes the problem by changing the way the kernel parses symbolic links.
MS16-061 (KB 3155520) This is an update for the Remote Procedure Call protocol by which one program requests services from another program, used for client/server communication. It affects all supported versions of Windows client and server operating systems, including the server core installations. It is rated Important for all.
The update addresses a single vulnerability in the RPC Network Data Representation Engine that can be exploited to accomplish an elevation of privilege an unauthenticated attacker sends malformed RPC requests to a vulnerable host machine.
The update fixes the problem by changing the way Windows handles RPC messages.
MS16-062 (KB 3158222) This is an update for the Windows kernel-mode drivers in Windows. It applies to all supported versions of both client and server operating systems, including the server core installations. It is rated Important for all.
The update addresses seven vulnerabilities in the kernel-mode driver, four of which are Win32k elevation of privilege issues. There is also an information disclosure vulnerability, and two elevation of privilege vulnerabilities in the DirectX graphics kernel subsystem.
The update fixes the problems by correcting the way the Windows kernel handles memory addresses, the way the graphics kernel subsystem handles objects in memory and the way it handles certain calls and escapes that can result in improper memory mapping.
MS16-065 (KB 3157993) This is an update for the Microsoft .NET framework in all supported versions of both client and server operating systems, including the server core installations. It is rated Important for all.
The update addresses a single vulnerability in the TLS/SSL protocol that can be exploited to accomplish information disclosure, allowing an attacker to decrypt communications that are sent encrypted by TLS/SSL. In order to do this, the attacker would need to be able to inject unencrypted data into the encrypted channel and do a man-in-the-middle attack.
The update fixes the problem by changing the way .NET's encryption component sends and receives encrypted packets over the network.
MS16-066 (KB 3155451) This is an update for the Virtual Secure Mode in Windows 10. This is the component that virtualizes the part of Windows that grants high-level privileges to executables, so that it doesn't have access to the kernel and can't attack VSM via the kernel. The update is rated Important.
The update addresses one hypervisor code integrity security feature bypass by which some kernel-mode pages are incorrectly marked. An attacker could exploit it to bypass the protections by running a specially crafted application.
The update fixes the problem by changing this behavior so that the RWX pages under HVCI won't be marked incorrectly.
MS16-067 (KB 3155784) This is an update for the Volume Manager Driver in Windows. It affects Windows 8.1/RT 8.1 and Server 2012/2012 R2. It is rated Important for both client and server.
The update addresses an information disclosure vulnerability in the Remote Desktop Protocol (RDP) Drive Redirection that happens when a USB disk is mounted over RDP via RemoteFX and it's not corrected linked to the session of the user who mounted it. This would allow an attacker to find out the information about the files and directories on the USB disk.
The update fixes the problem by making sure that Windows correctly enforces access to USB disks over RDP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
