Microsoft recently released the patches for April 2016. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms16-apr
Takeaways –
Vulnerabilities being patched in bulletins MS16-037 through MS16-045 could allow remote code execution if successfully exploited.
AgriLife ISO Recommendation
As the Flash vulnerabilities are currently being exploited, the elevation of privilege vulnerabilities identified in MS16-039 are being exploited (on servers) and also the vulnerability identified in MS16-047 for Windows/Samba via SMB/CIFS also has significant ramifications, it is recommended that all Adobe Flash installs and Windows Operating Systems be updated as soon as possible for both workstations and servers.
The April bulletins are identified as MS16-037/MS16-050.
Remote code execution exploits are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, Security Feature Bypass, Denial of Service or Information Disclosure.
CRITICAL patches for April
The CRITICAL vulnerabilities apply to Windows, Internet Explorer and Edge (Windows 10 browser), .NET Framework, Office, Skype for Business/Lync, and could allow remote code execution if successfully exploited.
IMPORTANT bulletins (at least one of which could allow remote code execution) apply to Windows, .NET Frame work and Adobe Flash.
MS16-037 – Internet Explorer – Remote Code Execution – CRITICAL
There are a total of six vulnerabilities being patched in Internet Explorer (all of which are designated as critical for at least one Internet Explorer version clients). Additionally, at least three of the critical vulnerabilities apply to the most hardened browser, IE11. The critical vulnerability would allow remote code execution if successfully exploited.
According to information provided by Microsoft, only one of the web browser vulnerabilities had been publicly disclosed prior to April 12. And that particular vulnerability was not classified as critical nor as of April 12, had exploit code been identified.
Note: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.
MS16-038 – Windows 10 – Microsoft Edge – Remote Code Execution – CRITICAL
There are a total of six vulnerabilities being patched in the Edge web browser that ships with Windows 10. All but two of the vulnerabilities could allow Remote Code Execution on workstations if successfully exploited on Windows 10. The two exceptions could allow an Elevation of Privilege condition on the Edge Browser for Windows 10. As of this time, none of the Edge Browser Remote Code Execution vulnerabilities have been publicly disclosed
MS16-039 – Windows/.NET Framework/Office/Skype for Business and Lync. – Graphics Component Interface (GDI) – Remote Code Execution – CRITICAL
There are four vulnerabilities being patched in the Graphics Component Interface (GDI) in Windows for the following Operating Systems and applications: Windows Vista SP2 (32 and 64 bit), Windows 7, Windows 8, Windows 8.1, Windows RT 8.1, Windows Server 2008 SP2, (32 and 64 bit), Windows Server 2012, Itanium including Server core only installs; and all versions of Microsoft Office and Skype for Business/Lync. One of the vulnerabilities could allow remote code execution if Microsoft Windows if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.
Note Windows Server 2016 Technical Preview 4 and Windows Server 2016 Technical Preview 5 are affected. Customers running these operating systems are encouraged to apply the update, which is available via Windows Update
According to information provided by Microsoft and ISC-SANS, exploit code has been identified for two of the four vulnerabilities
MS16-040 – Windows – XLM core services 3.0 – Remote Code Execution – CRITICAL
There are is one vulnerability being patched in the following versions of Windows: Vista (all versions), Windows 7 (all versions), Windows 8.1 (all versions), Windows RT 8.1, Windows 10 (all versions), Windows Server 2008 (all versions), Windows Server 2008R2 (all versions) and Windows Server 2012 (all versions). The most severe vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message. The vulnerability also exists and is classified as CRITICAL even in server core only installations of Windows Server operating systems.
According to information provided by Microsoft, the vulnerability had not been publicly disclosed nor had exploit code made available as of April 12.
MS16-041 – Windows – .NET Frame work – Remote Code Execution – IMPORTANT
There is one remote code media processing vulnerability being patched in versions 4.6 and 4.6.1 of .NET frame work for the following Microsoft operating systems and applications: Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008R2, including server core only installations. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.
According to information provided by Microsoft, vulnerability had not been publicly disclosed nor had exploit code been made available of April 12.
MS16-042 – Microsoft Office – Office and SharePoint- Remote Code Execution – One CRITICAL – Three IMPORTANT
There are four Remote Code Execution vulnerabilities being patched in all of the following versions of Microsoft Office: Office 2007, Office 2010, Office 2013, Office 2013 RT, Office 2016, Office for Mac 2011, Office 2016 for Macintosh, Office Compatibility pack, Excel Viewer, Word Viewer, and the following SharePoint deployments: SharePoint Server 2007, SharePoint Server 2010, SharePoint Server 2013, Office Web apps 2010 and Office Web apps 2013. The most severe vulnerability could allow CRITICAL remote code execution condition if successfully exploited.
As of this time, information provided by Microsoft indicates the details have not been disclosed publicaly nor has exploit code been potentially identified.
MS16-043 – No details – MS16-043 was not released by Microsoft in the April patches.
To be filled in at a future date –
MS16-044 – Windows – OLE – Remote Code Execution – IMPORTANT
There is one Remote Code Execution vulnerability being patched the Object Linking and Embedding module of Microsoft Windows. The vulnerability applies the following operating systems: Vista, Window 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2 (64 bit and Itanium), Server 2012 and Server 2012R2 (including server core only installations). The vulnerability could allow remote code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.
As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.
MS16-045 – Windows – HyperV – Remote Code Execution/Information Disclosure – IMPORTANT
There are three vulnerabilities being patched in Windows HyperV. The vulnerabilities apply to the following Operating Systems: Windows 8.1, Windows 10 and Windows Server 2012 and Server 2012R2 (including server core only installs). The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.
MS16-046 – Windows 10 (only) – Secondary Login – Elevation of Privilege – IMPORTANT
There is one Elevation of Privilege vulnerability being patched in Windows 10. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.
As of April 12, the vulnerability had been publicly disclosed but exploit code had yet to be identified.
MS16-047 – Windows – SAM and LSAD Remote Protocols – Elevation of Privilege – IMPORTANT
There is one Elevation of Privilege vulnerability being patched in the following Windows Operating Systems: Vista (all versions), Windows 7 (all versions), Windows 8.1 (all versions), Windows RT 8.1, Windows 10 (all versions), Windows Server 2008 (all versions), Windows Server 2008R2 (all versions) and Windows Server 2012 (all versions) including server core only installs. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user.
As of this time, according to Microsoft, the details of the elevation of privilege vulnerability have not been disclosed publicly nor has exploit code been potentially identified.
MS16-048 – Windows – CSRSS – Security Feature Bypass – IMPORTANT
There is one security feature bypass vulnerability being patched in the following Windows Operating Systems: Windows 8.1, Windows RT 8.1, Windows 10 and Windows Server 2012 (all versions) including server core only installs. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application. As of this time, according to Microsoft, the details of the security feature bypass vulnerability have not been disclosed publicly nor has exploit code been potentially identified.
MS16-049 – Windows 10 (only) – http.sys – Denial of Service – IMPORTANT
There is one Denial of Service vulnerability being patched in Windows 10. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system. As of this time, according to Microsoft, the details of the denial of service vulnerability have not been disclosed publically nor has exploit code been potentially identified.
MS16-050 – Windows – Adobe Flash – Remote Code Execution – CRITICAL
Bulletin MS16-050 is associated with the updated Flash (version 21.0.0.213) and addresses twenty-four vulnerabilities that apply to the following Microsoft Operating Systems: Windows 8.1, Windows 10. Windows Server 2012 and Server 2012R2 (when full installs are performed).
Note: As of Feb 9, all updates to Adobe Flash included in Internet Explorer and Edge will be listed in the format of the normal Microsoft update sequence (IE MS16-XX). The advisory of 2755801 will no longer be updated.
Adobe security patches – Adobe Reader and Acrobat
A security update was released for Adobe Flash on April 8. The update includes patches for 24 vulnerabilities at least two of which are currently being exploited.
https://helpx.adobe.com/security/products/flash-player/apsb16-10.html .
The most current version is 21.0.0.213