may microsoft patches

The content below has been posted on the AgriLife Security Blog at – https://ait-security.tamu.edu/2016/05/10/patches-for-microsoft-and-adobe-products-for-may/

Microsoft recently released the patches for May 2016. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms16-may

AgriLife ISO Recommendation

Takeaway – As the Flash vulnerabilities are currently being exploited, and at least one of the Remote Code Execution vulnerabilities for Internet Explorer MS16-051 are being exploited, it is recommended that all Adobe Flash installs and Windows Operating Systems be updated as soon as possible for both workstations and servers.

Patch details

Vulnerabilities being patched in bulletins MS16-051 through MS16-059 could allow remote code execution if successfully exploited.

Remote code execution exploits are commonly used via drive by (web page) exploits or email attachments to compromise workstation operating systems. In the case of Windows or Office vulnerabilities, remote code execution is exploitable via specially crafted files or media content. The majority of the remote code execution vulnerabilities are exploitable via memory corruption compromises. Other mechanisms of compromise could allow the following exploits: Elevation of Privilege, Security Feature Bypass, Denial of Service or Information Disclosure.

The May bulletins are identified as MS16-051/MS16-067.

CRITICAL patches for May

The CRITICAL vulnerabilities apply to Windows, Internet Explorer and Edge (Windows 10 browser), Office, and Office Services and Web apps, Adobe Flash Player. and could allow remote code execution if successfully exploited.

IMPORTANT bulletins (at least two of which could allow remote code execution) apply to Windows, .NET Framework and Adobe Flash.

MS16-051 – Internet Explorer – Remote Code Execution – CRITICAL – PATCH IMMEDIATELY

There are a total of five vulnerabilities being patched in Internet Explorer (three of which are designated as critical for at least one Internet Explorer version clients). Additionally, all three of the critical vulnerabilities apply to the most hardened browser, IE11. The critical vulnerability would allow remote code execution if successfully exploited (even on Windows 10).

According to information provided by Microsoft, one of the web browser vulnerabilities while not publicly disclosed prior to May 10, exploits are already being identified – CVE-2016-0189 . The reasons just identified, it is recommended that the patch for Internet Explorer be applied immediately. The actual vulnerability appears to exist in the Jscript and VBScript engines (which are effectively Windows modules as opposed to Internet Explorer modules).

A second vulnerability (that is being patched in MS16-051) has been disclosed publicly but could only allow a security feature bypass if successfully exploited. That vulnerability only exists on IE11 on Windows 10.

Note associated with MS16-051 from Microsoft: Multiple remote code execution vulnerabilities exist in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.

Note2: The vulnerabilities are classified as MODERATE for Server operating systems such as Windows Server 2008 (32, 64 bit and Itanium), Server 2008R2, Server 2012 and Server 2012R2.

MS16-052 – Windows 10 – Microsoft Edge – Remote Code Execution – CRITICAL

There are a total of four vulnerabilities being patched in the Edge web browser that ships with Windows 10. All of the vulnerabilities could allow Remote Code Execution on workstations if successfully exploited on Windows 10. The two exceptions could allow an Elevation of Privilege condition on the Edge Browser for Windows 10. As of this time, none of the Edge Browser Remote Code Execution vulnerabilities have been publicly disclosed.

Note from Microsoft regarding MS16-052: Multiple remote code execution vulnerabilities exist in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the Chakra JavaScript scripting engine handles objects in memory.

MS16-053 – Windows Vista and Server 2008 (all versions) – JScript and VBScript scripting engines – Remote Code Execution – CRITICAL

There are two vulnerabilities being patched in the JScript and VBScript for the following Operating Systems and applications: Windows Vista SP2 (32 and 64 bit), Windows Server 2008 SP2, (32 and 64 bit) and Itanium including Server core only installs. The vulnerabilities are the same CVE numbers as identified in MS16-051. With regard to MS16-053, the vulnerabilities appear to only apply to Vista and Server 2008 implementations. As previously indicated, at least one exploit has been identified for the vulnerability being patched in MS16-053.

MS16-054 – Office and Office Services and Web Apps – Remote Code Execution – CRITICAL

There are four vulnerabilities being patched in the following versions of Office: Office and Word 2007SP3, Office and Word 2010SP2 (32 and 64 bit versions), Word 2010SP2 (32 and 64 bit versions), Office 2013SP1 (32 and 64 bit versions), Office and Word 2013 RT, Office and Word 2016, Office for Mac 2011, Office for May 2016, and Office Compatibility Pack and Word Viewer, Microsoft SharePoint Server 2010 and Office Web Apps 2010SP2. Two of the vulnerabilities are classified as CRITICAL for all operating systems and applications (CVE-2016-0183 and CVE-2016-0198 ) and the remaining two are classified as IMPORTANT.

According to information provided by Microsoft, the vulnerability had not been publicly disclosed nor had exploit code made available as of May 10.

Note: Details from Microsoft on CVE-2016-0183 – A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability, and then convince a user to view the website. An attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by getting the user to click a link in an email or in an Instant Messenger message that takes the user to the attacker’s website, or by opening an attachment sent through email.

In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince a user to open the document file.

Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0183. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.

Note: Details from Microsoft on CVE-2016-198 – Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. The security update addresses the vulnerabilities by correcting how Office handles objects in memory.

MS16-055 – Windows – Graphics Component (GDI) – Remote Code Execution – CRITICAL

There are three remote code execution and two information disclosure vulnerabilities being patched the Graphics Component Module of all current Microsoft operating systems, including server core only installations. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

According to information provided by Microsoft, vulnerability had not been publicly disclosed nor had exploit code been made available of May 10.

MS16-056 – Windows Journal – Remote Code Execution – One CRITICAL – Three IMPORTANT

There is one Remote Code Execution vulnerability being patched in all of the following versions of Microsoft Windows: Vista, (all versions) Windows 7 (all versions), Windows 8.1 (all versions), Windows RT 8.1, and Windows 10. The vulnerability could allow CRITICAL remote code execution condition if successfully exploited.

As of this time, information provided by Microsoft indicates the details have not been disclosed publicly nor has exploit code been potentially identified.

Note from Microsoft regarding MS16-056: A remote code execution vulnerability exists in Microsoft Windows when a specially crafted Journal file is opened in Windows Journal. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

For an attack to be successful, this vulnerability requires that a user open a specially crafted Journal file with an affected version of Windows Journal. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Journal file to the user, and then convincing the user to open the file. The update addresses the vulnerability by modifying how Windows Journal parses Journal files.

MS16-057– Windows Remote Shell – Remote Code Execution – CRITICAL

There is one critical Remote Code Execution vulnerability being patched in all of the following versions of Windows: Windows 8.1, Windows RT 8.1, Windows 10, and Windows Server 2008R2.

As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.

Note from Microsoft on MS16-057: A remote code execution vulnerability exists when Windows Shell improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or Instant Messenger message that takes them to the attacker’s site. The security update fixes this vulnerability by correcting how Windows Shell handles objects in memory.

MS16-058 – Windows Vista and Server 2008 (all versions) – IIS – DLL loading – IMPORTANT

There is one Remote Code Execution vulnerability being patched the IIS module of Microsoft Windows. The vulnerability applies the following operating systems: Vista and Windows Server 2008 (32, 64 bit and Itanium) including server core only installations. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

The attack is feasible because Windows failed to properly validate before loading certain libraries. An attacker could exploit the vulnerabilities to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.

MS16-059 – Windows – Media Resource Center – Remote Code Execution/Information Disclosure – IMPORTANT

There is one vulnerability being patched in Windows Media Resource Center for the following Operating Systems: Vista, Windows 7, and Windows 8.1. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.

An attacker who successfully exploited this vulnerability could take control of an affected system. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Workstations are primarily at risk of this vulnerability.

As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.

Note from Microsoft regarding MS16-059: To exploit the vulnerability, user interaction is required. In a web-browsing scenario, a user would have to navigate to a compromised website that an attacker is using to host a malicious .mcl file. In an email attack scenario, an attacker would have to convince a user who is logged on to a vulnerable workstation to click a specially crafted link in an email. The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.

MS16-060 – Windows – Kernel – Elevation of Privilege – IMPORTANT

There is one Elevation of Privilege vulnerability being patched in the following versions of Windows: Vista, Windows 7, Windows 8, Windows RT 8.1, Windows 10, Windows Server 2008, Server 2008R2, Server 2012 and Server 2012R2 (including server core only installs).

As of this time, according to Microsoft, the details of the remote code execution vulnerability have not been disclosed publicly nor has exploit code been potentially identified.

Note from Microsoft regarding MS16-060: An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links.

MS16-061 – Windows – RPC Network Data Representation – Elevation of Privilege – IMPORTANT

There is one Elevation of Privilege vulnerability being patched in the following Windows Operating Systems: Vista (all versions), Windows 7 (all versions), Windows 8.1 (all versions), Windows RT 8.1, Windows 10 (all versions), Windows Server 2008 (all versions), Windows Server 2008R2 (all versions) and Windows Server 2012 (all versions) including server core only installs. The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.

As of May 10, according to Microsoft, the details of the elevation of privilege vulnerability have not been disclosed publicly nor has exploit code been potentially identified.

Notes from Microsoft regarding MS16-061: An elevation of privilege vulnerability exists in the way that Microsoft Windows handles specially crafted Remote Procedure Call (RPC) requests. A privilege elevation can occur when the RPC Network Data Representation (NDR) Engine improperly frees memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An unauthenticated attacker could exploit the vulnerability by making malformed RPC requests to an affected host. The update addresses this vulnerability by modifying the way that Microsoft Windows handles RPC messages.

MS16-062 – Windows – Kernel Mode Drivers – Elevation of Privilege – IMPORTANT

Patch MS16-062 addresses six Elevation of Privilege and one Information Disclosure vulnerabilities in the following Windows Operating Systems: Vista (all versions), Windows 7, Windows 8.1, Windows RT 8.1, and Windows 10. The vulnerabilities also apply to the following Server Operating Systems: Server 2008, Server 2008R2 (all versions), and Windows Server 2012 (all versions) and includes server core only installs. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.

As of May 10, according to Microsoft, the details of the security feature bypass vulnerability have not been disclosed publically nor has exploit code been potentially identified.

Notes from Microsoft on MS16-062

How the Windows kernel-mode driver handles objects in memory.
How the Windows kernel handles memory addresses.
The way in which the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.

Regarding Elevation of Privilege Vulnerabilities associated with CVEs-0171, 0173, 0174, and 0176: Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit the vulnerabilities, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control over an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

Regarding Information Disclosure vulnerability: A security feature bypass vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object.

To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses.

Regarding Elevation of Privilege Vulnerability for DirectX Graphics Kernel Subsystem: An elevation of privilege vulnerability exists when the DirectX Graphics kernel subsystem (dxgkrnl.sys) improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.

An attacker who successfully exploited this vulnerability could run processes in an elevated context. The update addresses the vulnerability by correcting the way in which the Microsoft DirectX graphics kernel subsystem handles objects in memory.

MS16-063 – Not released

No details were provided on patch MS16-063. It is assumed it will be released at future date.

MS16-064 – Windows – Adobe Flash – Remote Code Execution – CRITICAL – PATCH IMMEDAITELY

Bulletin MS16-064 is associated with the updated Adobe Flash (version yet to be determined) and addresses twenty-five vulnerabilities that apply to the following Microsoft Operating Systems: Windows 8.1, Windows 10. Windows Server 2012 and Server 2012R2 (when full installs are performed). At least one of the vulnerabilities (CVE-2016-04117) is currently being exploited.

Please see the MS16-064 URL for details on exploit scenarios and mitigation practices.

Note: As of Feb 9, all updates to Adobe Flash included in Internet Explorer and Edge will be listed in the format of the normal Microsoft update sequence (IE MS16-XX). The advisory of 2755801 will no longer be updated.

MS16-065 – Windows – TLS/SSL – Information Disclosure – IMPORTANT

Bulletin MS16-065 addresses one TLS/SSL Information Disclosure vulnerability in all current versions of .NET framework on the following Windows workstation operating systems: Vista, Windows 7, Windows 8.1, Windows 8.1 RT, Windows 10 and the following Windows Server operating systems: Server 2008 (all versions), Server 2008R2 (all versions), Server 2012, and Server 2012R2. As of May 10, the vulnerability had been publicly disclosed but exploit code had yet to be identified.

Notes from Microsoft regarding MS16-065:

An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic.

To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.

Important Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments.

In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

MS16-066 – Windows 10 (only) – Hypervisor Code Integrity – Security Bypass – IMPORTANT

One vulnerability in Virtual Secure Mode (also known as Hypervisor Code Integrity) is being patched in MS16-066 for all 32 and 64 bit versions of Windows 10. The vulnerability could allow a security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows. As of May 10, the vulnerability had yet to be made public nor had exploit code been identified.

Notes from Microsoft on MS16-066: A security feature bypass vulnerability exists when Windows incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with Hypervisor Code Integrity (HVCI) enabled.

To exploit this vulnerability, an attacker could run a specially crafted application to bypass code integrity protections in Windows. The security update addresses the vulnerability by correcting security feature behavior to preclude the incorrect marking of RWX pages under HVCI.

MS16-067 – Windows 8.1 and Server 2012 – Volume Manager Driver – Information Disclosure – IMPORTANT

One vulnerability is being patched in Volume Manager Driver for the following Windows operating systems: Windows 8.1 (all versions), Windows RT 8.1, Windows 10, and Windows Server 2012 (all versions) including server core only installs. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.

As of May 10, according to Microsoft, the details of the security feature bypass vulnerability have not been disclosed publically nor has exploit code been potentially identified.
Notes from Microsoft on MS16-067: An information disclosure vulnerability exists in Microsoft Windows when a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user. An attacker who successfully exploited this vulnerability could obtain access to file and directory information on the mounting user’s USB disk. This update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.

Adobe security patches – Adobe Reader and Acrobat

A security update for Adobe Reader was released on May 5. See the following URL for version updates The content below has been posted on the AgriLife Security Blog at – https://ait-security.tamu.edu/2016/05/10/patches-for-microsoft-and-adobe-products-for-may/

Microsoft recently released the patches for May 2016. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms16-may

AgriLife ISO Recommendation

Takeaway – As the Flash vulnerabilities are currently being exploited, , and at least one of the Remote Code Execution vulnerabilities for Internet Explorer MS16-051 are being exploited, it is recommended that all Adobe Flash installs and Windows Operating Systems be updated as soon as possible for both workstations and servers.