May Patch Tuesday 2016 - Chris Goettl's Commentary
May’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053). Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update? Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?
In total, Microsoft released 16 bulletins today, eight critical and eight deemed important. There are also 33 unique CVEs being resolved, including one Zero Day that affects two bulletins and two public disclosures.
Today, Adobe released bulletins for Adobe Reader, Cold Fusion and an advisory for Flash Player that should see a bulletin release as soon as this Thursday. The two bulletins resolve for a total of 85 CVEs. With the addition of Flash Player later this week, if the Microsoft bulletin is accurate, it should bring the total to 109 CVEs resolved from Adobe this month.
MS16-051 is a critical update for Internet Explorer and Windows resolving five total vulnerabilities, including one known exploited (CVE-2016-0189) and one public disclosure (CVE-2016-0188). The vulnerability that has been exploited can be used in user-targeted attacks such as through a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker gains equal privileges to the logged-on user, so running as less than administrator will mitigate the impact of exploitation.
It is recommended to get your IE updates rolled out quickly this month. For those running less than the latest IE version available for the OS its installed on, be aware that Microsoft reduced support in January to only update the latest version available on supported Operating Systems.
MS16-053 is a critical update for Microsoft Windows that resolves two vulnerabilities, including the known exploited (CVE-2016-0189). This OS update is another that’s recommended to rollout as quickly as possible this month as it affects older versions of the OS and VMScript and JScript versions. The vulnerability that has been exploited can be used in user-targeted attacks such as a specially crafted website designed to exploit the vulnerability through Internet Explorer or ActiveX controls marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker gains privileges equal to the logged on user, so running as less than administrator will mitigate the impact of exploit.
The other five critical updates from Microsoft affect Office, SharePoint and Windows OS. These bulletins should be tested and implemented within two weeks to reduce exposure.
MS16-065 is an important update for .Net Framework that includes a public disclosure. It is recommended to add this update to the two-week rollout list this month. A public disclosure means an attacker has additional knowledge, making CVE-2016-0149 more likely to be exploited. The vulnerability is an information disclosure in TLS/SSL that could enable an attacker to decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle attack between the targeted client and a legitimate server. On network this may be harder to achieve, but users who leave the network could be at higher risk of exposure to a scenario where this type of attack is possible. Keep in mind, Microsoft recommends thorough testing before rolling out to production environments.
Adobe Reader APSB16-14 is rated as a priority two, but resolves 82 vulnerabilities. By sheer force of numbers, we are suggesting this update be considered a higher priority. As a result, be sure it is tested and put into effect within four weeks.
Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.
With Adobe Flash Player it’s important to keep in mind there are multiple updates that need to be installed in order to fully address the vulnerabilities, including Flash Player, Flash Plug-Ins in Internet Explorer (MS16-064), Google Chrome (expect an update when APSB16-15 releases later this week) and for FireFox.