February Patch Tuesday started a bit early with Oracle releasing an out-of-band update for Java to resolve a critical vulnerability that allows DLL Hijacking. Microsoft has released 13 bulletins, six of which are critical, resolving a total of 42 vulnerabilities. Of the vulnerabilities being resolved, two have been publicly disclosed. We also have releases from Adobe for Flash and Photoshop, Mozilla for Firefox, and Google is expected to release a Chrome update with security fixes and support for the latest Flash Plug-In.
Starting with Oracle, the vulnerability resolved by Java 8u73 (CVE-2016-0603) affects many other products, but so far, Oracle and SUSE VirtualBox are the only vendors to release updates to resolve it so far. Researchers are still reporting additional products affected, but the notables include Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. So far there is no confirmation on the Firefox or Chrome releases resolving this vulnerability. Expect to see some more security release in the coming weeks.
As noted, Microsoft has released 13 total bulletins, six of which are rated as critical. Of the 42 vulnerabilities resolved, two have been publicly disclosed – these are part of MS16-014 (CVE-2016-0040) and MS16-015 (CVE-2016-0039). Public disclosures are a risk indicator that we use to rate threat risk, signaling a threat actor has a jump-start on the vendor and is able to exploit the vulnerability before companies can get an update in place. MS16-014 may only be rated as important by Microsoft, but the fact that it has a public discloser means it is at higher risk of exploit.
Here are some things to watch out for this month with Microsoft:
There is a Sharepoint update included in the Office bulletin, MS16-015. I know, all of your Sharepoint admins just cringed, but it has to be updated. This is a critical bulletin and has a publicly disclosed vulnerability, CVE-2016-0039. One of the complicating factors with Sharepoint is the fact that rollback is not an easy thing if something breaks. If you have not already done so, we highly recommend virtualizing your Sharepoint servers so you can take advantage of snapshot capabilities to roll back to a good state, in case something goes wrong.
MS16-014 is rated as important and affects the Windows Operating System. The threat around this bulletin should be considered high, as it does have a public disclosure. CVE-2016-0040 resolves a vulnerability with improper handling of objects in memory by the Kernel. According to the Microsoft bulletin, if exploited “an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The reason this is likely reduced in severity is because the attacker would need to log on to the system and then run a specially crafted application to exploit the vulnerability.
MS16-018 affects Kernel-Mode Drivers, so both MS16-014 and MS16-018 are making changes to Kernel behavior this month. As always, it is good to test Kernel updates thoroughly before deploying.
One change Microsoft made this month, that I hope is permanent, is making the Adobe Flash Player Plug-In update for Internet Explorer officially a Security Bulletin instead of a Security Advisory. This is a major change to how they have identified the Flash Player Plug-In updates in the past, and one that is warranted, because you have not completely resolved Flash vulnerabilities unless you’ve update the OS and all browser plug-ins. So keep an eye out for MS16-022, which is the critical update for Adobe Flash Player, for all currently supported versions of Windows and IE.
Speaking of Adobe Flash, APSB16-04 is a Priority 1 update resolving 22 vulnerabilities that should be on your priority list this month, especially since Adobe Flash has been highly targeted because it is so widely distributed. Remember, you need to update Adobe Flash, and Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.
Adobe Photoshop is a Priority 3 update this month that resolves for three lower severity security vulnerabilities.
Mozilla has released Firefox 44.0.1. So far, there’s no report on if security fixes were included in this release or not.
You can also expect to see a Google Chrome release coming out which will be resolve for some security vulnerabilities and will include support for the Flash Player APSB16-04 update. Do make sure this is on your priority list this month.
Join us tomorrow for the February Patch Tuesday webinar where we will discuss the bulletins in more detail.