Microsoft has just released the patches for February 2016. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms16-feb
There are a total of thirteen bulletins being released. Five of the bulletins being patched are identified as CRITICAL (by Microsoft – six according to https://isc.sans.edu/forums/diary/Microsoft+February+2016+Patch+Tuesday/20711/ ) and the remainder are classified as IMPORTANT.
| Microsoft February 2016 Patch Tuesday – SANS Internet Storm Center |
Vulnerabilities being patched in bulletins MS16-009 through MS16-015 could allow remote code execution if successfully exploited.
Remote code execution exploits are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, or Information Disclosure.
The February bulletins are identified as MS16-009/MS16-022
CRITICAL patches for February
The CRITICAL vulnerabilities apply to Windows, Internet Explorer, Edge (Windows 10 browser), Office and Office Services and Web apps; and could allow remote code execution if successfully exploited.
IMPORTANT bulletins apply to Windows and Microsoft .NET framework.
MS16-009 – Internet Explorer – Remote Code Execution – CRITICAL
There are a total of thirteen vulnerabilities being patched in Internet Explorer (seven of which are designated as critical). The critical vulnerability would allow remote code execution if successfully exploited (on workstations) and with the exception of server core only installations, apply to all supported versions of Internet Explorer on all operating systems. The remaining patch addresses a vulnerabilities that could allow Elevation of Privilege, Information Disclosure or Spoofing if successfully exploited.
According to information provided by Microsoft, none of the web browser vulnerabilities have exploit code currently available nor had the vulnerabilities been publicly disclosed prior to February 9.
Note: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.
MS16-010 – Windows Exchange server – patch released as part of January 2016 updates
MS16-011 – Windows 10 – Microsoft Edge – Remote Code Execution – CRITICAL
There are a total of six vulnerabilities being patched in the Edge web browser that ships with Windows 10. The vulnerabilities could allow Remote Code Execution on workstations if successfully exploited on Windows 10. As of this time, none of the Edge Browser Remote Code Execution vulnerabilities have been publicly disclosed.
MS16-012 – Windows – PDF library – Remote Code Execution – CRITICAL
There are two vulnerabilities being patched in the PDF library in Windows for the following Operating Systems: Windows 8.1, Windows 10 and Windows Server 2012 (including server core only installations). The vulnerability could allow remote code execution if
Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system.
MS16-013 – Windows Journal – Remote Code Execution – CRITICAL
There is one vulnerability being patched in all currently supported versions of Microsoft Office (including Macintosh). The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. The vulnerability exists in all current Windows workstation and Server versions.
MS16-014 – Windows – Remote Code Execution – IMPORTANT (according to Microsoft) – CRITICAL according to SANS https://isc.sans.edu/forums/diary/Microsoft+February+2016+Patch+Tuesday/20711/ .
There are five vulnerabilities being patched in Windows that support DLL Loading and Kerberos for all currently Microsoft operating systems (including server core only installations). The most severe vulnerability could allow remote code execution if successfully exploited. According to Microsoft, the attacker would have to be logged into the system and run a specially crafted application. Only one of the vulnerabilities is has been disclosed publicly to the public, and it is only applicable to Windows Vista, Window 7, Server 2008, and 2008R2 and that vulnerability is classified as an Elevation of Privilege as opposed to Remote code Execution.
The remainder of the vulnerabilities being patched in MS16-014 are less likely to have successful exploits with the exception of CVE-2016-0042 and that vulnerability is classified as IMPORTANT.
| CVE – CVE-2016-0042
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. |
One of the two vulnerabilities could allow remote code execution if successfully compromise and the second would allow an Information Disclosure condition. The vulnerabilities are designated as CRITICAL for the following workstation products: Vista (32 and 64 bit), Windows 7 (32 and 64 bit) and IMPORTANT for Windows 8/8.1 (32 and 64 bit), Windows RT and RT 8.1, and Windows 10. Additionally, for the 2008 version of Windows Server, the remote code execution vulnerability is assigned a CRITICAL designation even for Server Core only installs. The second vulnerability being patched in MS16-005 addresses an error in Address Space Layout Randomization security protections.
Note: All patches in MS16-014 are designated as IMPORTANT for Server operating system installations.
MS16-015 – Microsoft Office and SharePoint implementations– Remote Code Execution – CRITICAL
There are six Remote Code Execution vulnerabilities being patched in all current versions of Microsoft Office (including Macintosh). Three of the vulnerabilities are the most severe and could allow remote code execution if a user opens a specially crafted Microsoft Office Word file. Four of the six vulnerabilities also exist in some versions of SharePoint 2007, 2010 and 2013 implementations and also Office Web apps 2010 and 2013, however these are classified as IMPORTANT as opposed to CRITICAL.
As of this time, information provided by Microsoft indicates the details have not been disclosed publically nor has exploit code been potentially identified.
Note: All patches in MS16-015 are designated as IMPORTANT for Server operating system installations.
Note2: There is also a completely separate security patch released for 2013 SharePoint Foundation installations that is a XSS (cross site scripting) vulnerability that is a elevation of privilege exploit. It is identified as CVE-2016-0039 and as of February 9, had already been disclosed publicly.
MS16-016 – Windows – WebDAV – Elevation of Privilege – IMPORTANT
There is one Elevation of Privilege being patched in Microsoft Web Distributed Authoring and Versioning. The vulnerabilities apply to the following products: Vista, Windows 7, Windows 8,8.1 and Windows 10, Server 2008, 2008R2 and Server 2012 including Server core only installations. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server. For Windows 8, 8.1 and 10, and Server 2012 and R2, the exploit would trigger a denial of service condition as opposed to a elevation of privilege condition.
The security update addresses the vulnerability by correcting how WebDAV validates memory.
MS16-017 – Windows – Remote Desktop Display driver – Elevation of Privilege – IMPORTANT
There is one Elevation of Privilege vulnerability being patched in the Remote Desktop Protocol module of Microsoft Windows. The vulnerability applies to Windows 7, 8, 8.1 and 10. It also applies to Windows Server 2012 and Server 2012 R2 including server core only installs. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
MS16-018 – Windows – Kernel Mode Drivers – Elevation of Privilege – IMPORTANT
There is one Elevation of Privilege vulnerability being patched in all versions of Windows Server and desktop operating systems (including server core only installations). The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
MS16-019 – Windows – Windows .NET framework – Denial Of Service/Information Disclosure – IMPORTANT
There is one Denial of Service and one Information Disclosure vulnerability being patched in all versions of Windows (including server versions) with any of the following .NET framework versions installed: 2.0sp2,3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms. The security update addresses the vulnerabilities by correcting how Microsoft WinForms validates decoder results and by correcting how.NET Framework handles extensible stylesheet language transformations (XSLT).
As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
MS16-020 – Windows – Active Directory Federation Services – Denial Of Service – IMPORTANT
There is one denial of service vulnerability classified as IMPORTANT being patched in version 3.0 of Windows Active Directory Federation Services installed on Server 2012 (including Server core installations). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.
As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
MS16-021 – Windows – NPS Radius – Denial Of Service – IMPORTANT
There is one denial of service vulnerability being patched in the Network Policy Server Radius implementation (including server core only installs) of the following Windows Server operating systems: Server 2008, Server 2008R2, Server 2012, and Server 2012R2. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS. The security update addresses the vulnerability by changing how NPS parses username queries when implementing RADIUS.
As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.
Adobe security patches – Flash, Connect, Experience Manager, Photoshop CC and Bridge CC.
The following products received security updates from Adobe on February 9: Adobe Flash, Adobe Connect, Adobe Experience Manager, Adobe Photoshop CC and Bridge CC.
The updated version of Adobe Flash is 20.0.0.306. The updated version addresses twenty-two security vulnerabilities that are actively being targeted according to Adobe. The Adobe Flash update for Internet Explorer is included in Microsoft patch https://technet.microsoft.com/en-us/library/security/MS16-022 . The update applies to the following operating systems: Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2012 and Server 2012R2. Details for the Flash update are available at https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
Details for other Adobe products updated on Feb 9 are available at https://helpx.adobe.com/security.html
AgriLife ISO Recommendation
Considering the fact that the Internet Explorer and Adobe Flash vulnerabilities are likely to be exploited in the near future, it is recommended that the February patches for Microsoft be applied as soon as possible to workstation and also server systems following appropriate testing.