Zero-Day - Úvod  Graf  Katalog Zranitelností  OWASP  Webové útoky (103)  Vulnerebility   

 


 


Microsoft Patch Tuesday October 2018
Welcome back to this month’s Patch Tuesday. Microsoft has patched 49 vulnerabilities this month, including several that had details disclosed prior to patching, and one “zero-day” vulnerability in Windows that was actively being exploited was also patched. 12 of the vulnerabilities were rated as Critical. The bulk of the vulnerabilities focus on web browsers and Office. Notably, Adobe Flash Player did not receive a fix this month.

Internet Explorer and Edge
As usual, Internet Explorer and Edge received a considerable number of fixes. Two notable fixes were for CVE-2018-8473 and CVE-2018-8460 for Edge and Internet Explorer respectively. Both vulnerabilities have remote code execution impacts, within the security context of the current user. Once again this serves as a frequent reminder to exercise the principle of least privilege.

Kernel
The Windows Kernel received two fixes this month, with impacts of Information Disclosure and Elevation of Privilege. An attacker exploiting these vulnerabilities would have system-level privileges, allowing them to take full control of the affected system. Typically, these attacks would have to be carried out by a local attacker, or someone with credentialed access. However, an attacker exploiting a remote code execution vulnerability may be able to leverage these vulnerabilities in conjunction to further compromise the system.

Office
Office received fixes for nine vulnerabilities this month. A few of them, CVE-2018-8504, CVE-2018-8502, and CVE-2018-8501, allowed for remote code execution that would give the attacker full control over the system. The vulnerabilities reside in the handling of objects in memory, where an application parsing the maliciously crafted content would enter a vulnerable state and allow attackers to execute their code.

Windows
One notable vulnerability fixed this month for Windows itself was CVE-2018-8453, which was being actively exploited by the cyber-espionage group known as FruityArmor. The group has previously used other zero-day exploits for Windows Graphics, and Adobe Flash Player. The group has deployed exploits of this vulnerability primarily in the Middle East. This vulnerability allowed for elevation of privilege from the win32k component, which allowed an attacker that had already gained a foothold on a system to gain full control of the system.


Microsoft Patch Tuesday September 2018

Welcome back to this month’s Patch Tuesday. Microsoft has patched 61 vulnerabilities this month, including several that had details disclosed prior to patching, and one “zero-day” vulnerability in Windows that was actively being exploited was also patched. The bulk of the vulnerabilities focus on web browsers. Also, of note, this month was the first month that Windows 2008 Server systems switched to the rollup system, like the rest of their Windows OS cousins.

Internet Explorer and Edge

Microsoft’s browsers received a host of fixes this month. For Internet Explorer, three vulnerabilities were rated as Critical. For Edge, eight vulnerabilities were rated as Critical. Attackers may be able to execute arbitrary code by luring a victim to a website hosting maliciously crafted content. Attackers would gain the same user rights as the current user.

Kernel

An active zero-day vulnerability, CVE-2018-8440, was patched this month. The vulnerability stems from the way that Windows handles Advanced Local Procedure Calls (ALPC). An attacker could run a specially crafted application to take over an affected system, allowing them to elevate their privileges from a less-privileged account. Since this vulnerability is actively being exploited in the wild, administrators are urged to update as soon as possible.

Office

Office received fixes for eight vulnerabilities this month. One of them, CVE-2018-8332, allowed for remote code execution that would give the attacker full control over the system. The vulnerability resides in the embedded font library, where an application parsing the maliciously crafted font would enter a vulnerable state and allow attackers to execute their code. Microsoft has rated this vulnerability as Critical.

Adobe Flash Player

A single Adobe Flash Player vulnerability was fixed this month. Microsoft rates the vulnerability as Critical, whereas Adobe rates the vulnerability as Important. The vulnerability allows for information disclosure, exposing memory contents that could potentially be sensitive or leveraged by an attacker in a further attack.

.Net Framework

Microsoft’s .NET Framework also received many fixes this month. One of the vulnerabilities was rated as Critical. Attackers leveraging this vulnerability would be able to remotely execute arbitrary code with rights equal to that of the current user. This is a reminder once again to exercise the principals of least-privilege, in order to protect ourselves from these kinds of attacks.


Microsoft Patch Tuesday August 2018

This month’s Patch Tuesday brings with it a total of 60 security patches covering various products such as Internet Explorer, Edge, ChakraCore, Windows components, .NET Framework, SQL Server, Exchange Server, and Microsoft Office. Of these 60 vulnerabilities, 20 are listed as Critical, 38 are rated Important, one is rated as Moderate, and one is rated as Low severity. At the time of this release, two vulnerabilities (CVE-2018-8373 and CVE-2018-8414) had already been publicly disclosed and are actively being exploited in the wild.

Internet Explorer
IE is patched for five vulnerabilities this month, including the aforementioned vulnerability that is being actively exploited. The majority of these vulnerabilities are caused by memory corruption issues which can lead to remote code execution. An attacker can leverage these by enticing a victim to browse to a specially crafted webpage.

Edge
Two critical memory corruption issues were patched this month within the Edge browser, along with four important, and one low severity vulnerabilities. The worst of these (the critical-rated issues), are similar to those affecting IE in that they require a victim to browse specially crafted webpages.

Chakra Engine
The Chakra Scripting Engine contains five critical vulnerabilities along with one important rated memory corruption vulnerability. The worst of these can lead to remote code execution and can also be leveraged through a specially crafted website, in addition to embedding an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the browser rendering engine.

Windows components
Various Windows components are patched this month which include Windows Shell, Graphics, GDI+, Diagnostic Hub, Device Guard, Cortana, Windows Installer, ADFS, Windows Kernel, Windows NDIS, Microsoft COM, DirectX Graphics, LNK, and Win32k. Of these components the one to be most concerned about is Windows Shell and specifically CVE-2018-8414. As previously mentioned, this vulnerability is also being actively exploited.

.NET Framework
The .Net Framework is patched for only one important rated vulnerability this month. This vulnerability can lead to information disclosure and can occur when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream.

SQL Server
A critical vulnerability has been patched in SQL Server which is caused by a classic buffer overflow. An attacker could leverage this by sending a specially crafted query to the affected server which can lead to code execution in the context of the service account. Extra attention should be applied to this considering the amount of damage an attacker could cause when exploiting this vulnerability.

Exchange Server
Two vulnerabilities are patched within Exchange Server, one critical and one important rated. The critical vulnerability is caused by Exchange failing to properly handle objects in memory which can lead to remote code execution in the context of the System user. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

Microsoft Office
Office is patched for five important-rated vulnerabilities which can lead to elevation of privilege and information disclosure. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software.


Microsoft Patch Tuesday July 2018

Welcome back to this month’s Patch Tuesday. Microsoft has patched 53 vulnerabilities this month, with 17 rated critical and 34 rated important. The majority of the critical vulnerabilities reside in Microsoft’s Chakra engine that parses Jscript. The Chakra engine is a core component of Microsoft’s web browsers.

Internet Explorer and Edge
Microsoft’s browsers received a host of critical fixes this month. Four vulnerabilities in the Chakra engine could lead to remote code execution when parsing malicious Jscript content. Microsoft has indicated that these vulnerabilities are likely to be targeted for an exploit in the wild, and are a priority to patch for workstation systems.

Kernel
As usual, the Windows kernel itself received a number of fixes. The vulnerabilities had an impact of information disclosure that could lead to elevation of privilege. These vulnerabilities revolved around the mishandling of objects in memory.

Windows DNS
Unlike last month’s wormable remote code execution bug in Windows DNS server’s DNSAPI, this vulnerability only causes Denial of Service by sending a malformed DNS response. This can still have a devastating impact on a network infrastructure and should be taken seriously. Microsoft rates this vulnerability as important, with exploitation less likely.

Office
Office received the usual amount of attention it gets every patch Tuesday. None of the office vulnerabilities were rated as critical. Attackers leveraging these vulnerabilities would be able to remotely execute code with privileges equal to that of the current user, obtain sensitive information on the system, and elevate privileges. Be sure to verify the source of Office files before opening them to help protect against these kinds of vulnerabilities.

Adobe Flash Player
Adobe Flash Player received two fixes this month. One was an out-of-bounds read that discloses potentially sensitive information to an attacker, and the other was a type confusion bug that allowed for arbitrary code execution. The two vulnerabilities are rated Important and Critical, respectively. Neither of these vulnerabilities are actively being exploited in the wild.

.Net Framework
Microsoft’s .Net Framework has not received an update since May, so it was due. The framework received fixes for multiple vulnerabilities. These vulnerabilities had impacts of allowing an attacker to gain elevated privileges, remote code execution, and bypass security features. Microsoft rates these vulnerabilities as important.


Microsoft Patch Tuesday June 2018

Welcome back to this month’s Microsoft Patch Tuesday. Microsoft has patched 50 vulnerabilities this month, with almost a quarter of the vulnerabilities being rated as critical. The majority of the critical vulnerabilities reside in Microsoft’s browsers. Only one vulnerability, CVE-2018-8267, was disclosed prior to this month’s patch cycle.

Internet Explorer and Edge

Microsoft’s browsers received a host of critical fixes this month. As mentioned before, one vulnerability for Internet Explorer was disclosed prior to patching. Microsoft has indicated that this vulnerability is likely to be targeted by hackers in the wild. However, there are no known exploits for any of the fixed vulnerabilities at this time.

Kernel

Windows Kernel returns to Patch Tuesday with a round of fixes. The vulnerabilities had impacts of information disclosure or elevation of privilege. These vulnerabilities revolved around the mishandling of objects in memory.

Windows DNS

One of the more interesting vulnerabilities patched this month was CVE-2018-8225. An attacker would only have to send a crafted response to a target server in order to execute code with system level privileges. Because this vulnerability is easily scriptable for attackers, and grants system level access to vulnerable systems, which may potentially be critical infrastructure, the vulnerability has a high degree of likelihood for exploitation. Users should patch their systems immediately.

Office

Office also received the usual round of fixes. None of the vulnerabilities in Office were rated critical. Attackers leveraging these vulnerabilities would be able to remotely execute code with privileges equal to that of the current user, obtain sensitive information on the system, and elevate privileges. Be sure to verify the source of Office files before opening them to help protect against these kinds of vulnerabilities.

Adobe Flash Player

Adobe Flash Player received four fixes for vulnerabilities this month. This update actually was published on June 7th, as the vulnerabilities were actively being exploited in the wild. An attacker exploiting these vulnerabilities would be able to execute arbitrary code and gain access to information on the system. Since this vulnerability is actively being exploited, users should update their systems as soon as possible.


Microsoft Patch Tuesday May 2018
Welcome back to this month’s Microsoft Patch Tuesday. With 67 vulnerabilities in total, 21 critical – including one flaw that is actively being exploited in the wild. The Windows scripting engine was being exploited to execute code remotely on the system with the security context of the current user. This exploit was not publicly being disclosed prior to patching.

Internet Explorer and Edge

Microsoft’s browsers received their usual amount of attention in this month’s round of patches. Of the vulnerabilities for the browsers, 18 of them were marked as Critical. Microsoft also has indicated that the vulnerabilities are likely to be targeted for exploitation. None of these vulnerabilities have been known to be exploited in the wild.

Kernel

Windows Kernel returns to Patch Tuesday with a round of fixes. None of the vulnerabilities in Windows Kernel were rated as Critical. However, one vulnerability in the kernel was being exploited to elevate the privileges of a user. Attackers exploiting these vulnerabilities may be able to glean information leaked from objects in memory being mishandled, as well as elevate their privileges.

Office

Office also received the usual round of fixes. None of the vulnerabilities in Office were rated Critical. Attackers leveraging these vulnerabilities would be able to remotely execute code with privileges equal to that of the current user. Exercising the principals of least privilege will help protect against these types of vulnerabilities.

Adobe Flash Player

Adobe Flash Player received a fix for a Critical vulnerability. The vulnerability allowed for attackers to remotely execute code on the affected system. The attacker would have privileges equal to that of the affected application.

.NET Framework

Microsoft’s .NET Framework received a host of fixes. None of the patched vulnerabilities were rated Critical. An attacker leveraging these vulnerabilities could cause Denial of Service conditions, and bypass security features.

Scripting Engine

Microsoft’s Scripting Engine contained a vulnerability that was actively being exploited. The VBScript Engine contained a remote code execution vulnerability that had not been disclosed prior to being patched. A user needs only visit a malicious website to have the attacker’s code be executed on their machine. Microsoft rated this vulnerability as Critical. Other vulnerabilities fixed in the engine resulted in Denial of Service and Information leaks.


Microsoft Patch Tuesday April 2018
Welcome back to April’s Microsoft Patch Tuesday. This month patches many Critically rated vulnerabilities in Internet Explorer, Graphics, Adobe Flash Player, and Edge. The rest of the updates are Important and lower in severity, covering protocols such as SNMP and RDP, and products such as Jet Database. Other usual suspects like Office and Adobe Flash Player received fixes as well. In total, 66 security issues have been addressed, 22 critical. Details about CVE-2018-1034, an elevation of privilege vulnerability in Microsoft SharePoint, became public before a patch was available. However, there is no record of an active exploit for the vulnerability.

Kernel

The Windows Kernel received multiple fixes for Information Disclosure vulnerabilities. These vulnerabilities leak the contents and addresses in memory that could lead to an ASLR bypass. An attacker would have to log on to an affected system and run a specially crafted application. The vulnerabilities are rated ‘Important’ by Microsoft.

SNMP Service

Windows SNMP has received a fix for a vulnerability that existed when handling malformed SNMP traps. An attacker exploiting this vulnerability could cause a Denial of Service on the target system. An attacker would not be able to execute code or elevate privileges.

Graphics

Embedded Graphics components in Windows contained a vulnerability where processing maliciously crafted embedded fonts would lead to remote code execution. To exploit the vulnerability an attacker would have to somehow convince the victim to view content containing the maliciously crafted font. Microsoft rates this vulnerability as ‘Critical’.

Jet Database

The Microsoft JET Database Engine contained a Buffer Overflow that would allow for Remote Code Execution. The code would be executed with administrative privilege, allowing for an attacker to install programs, access data, or create new user accounts with full privileges. To exploit the vulnerability, an attacker would view a specially crafted Excel file while using an affected version of Microsoft Windows. The attacker could also lure a victim into opening the Excel file from email via standard phishing techniques.

RDP

The RDP protocol contained a Denial of Service vulnerability when processing maliciously crafted requests. Exploiting the vulnerability would render the RDP service on the target system unresponsive. To exploit this vulnerability, an attacker needs to run a specially crafted application against a server which provides RDP services. Microsoft rates this vulnerability as Important.

Office

Office contained 13 fixes this month. These fixes were rated ‘Important’ in severity, and have impacts ranging from Remote Code Execution, Spoofing, and Information Disclosure. CVE-2018-1034 had details about the vulnerability disclosed prior to the patch being available. There are no known exploits for the vulnerability in the wild, and Microsoft deems exploitation as ‘unlikely’.

Edge and Internet Explorer

Internet Explorer received fixes for two ‘Critical’ vulnerabilities, CVE-2018-1020 and CVE-2018-1018. These vulnerabilities both have the same impact, allowing an attacker to exploit improper memory management to execute code remotely. The executed code would have the same security context as Internet Explorer. Edge and Internet Explorer also received Important security updates that allowed for information disclosure to a remote attacker.

Adobe Flash Player

Adobe Flash Player was host to its usual round of fixes. In total, 6 vulnerabilities in Flash Player were patched. Half of these vulnerabilities were rated as ‘Critical’, and the other half as ‘Important’. These vulnerabilities have impacts of Remote Code Execution, and Information Disclosure, respectively. Adobe has reported that there are no known exploits active for these vulnerabilities.


Microsoft Patch Tuesday March 2018

Welcome back to the March 2018 Patch Tuesday. Microsoft has released updates for the usual suspects of software, and Adobe has issued fixes as well. None of these vulnerabilities have been reported to be exploited in the wild, but vulnerabilities from Exchange Server and ASP.NET Core 2.0 (CVE-2018-0940 and CVE-2018-0808 respectively) had been disclosed before these patches were available.

Kernel

The Windows Kernel has received a handful of fixes. The vulnerabilities that these fixes patch allow for a successful exploit to elevate an attacker’s privileges on a system and disclose sensitive information that could further compromise an affected system. The vulnerabilities revolve around object memory mismanagement at the kernel level. Microsoft rates these vulnerabilities as “Important.”

Hyper-V

Microsoft’s native Hypervisor has received and update for x64 based systems. The vulnerability would have allowed for a user on a guest operating system to gain information on the host. A real-world example of this would be if a cloud VM user were to use their VM maliciously to gain information on the cloud server itself, possibly compromising another user’s information. Additionally, a guest operating system could cause denial-of-service conditions by running a malicious application on the guest system, resulting in the host system crashing. Microsoft rates these vulnerabilities as “Important”.

Remote Assistance Tool

An Information Disclosure vulnerability was patched for Microsoft’s Remote Assistance tool. The vulnerability revolved around the incorrect parsing of XML External Entities (XXE), which could be leveraged to obtain sensitive information. An attacker would have to convince the victim to accept a specially crafted Remote Assistance file. This vulnerability is particularly interesting since it stems from remote assistance files, which are intended to help typically less-savvy users, making them precisely the right target for social engineering. Microsoft rates this vulnerability as “Important”.

Office

Office was host to a dizzying number of fixes this month. In total, 18 vulnerabilities across a myriad of products were fixed. The impact of these vulnerabilities ranged from remote code execution, information leaks, spoofing, and denial of service. The Exchange Server vulnerability that was publicly disclosed prior to patching was a result of failing to properly sanitize links presented to users, allowing for a fake login pages to be presented that would attempt to trick users into disclosing valid logins. Microsoft rates these vulnerabilities as “Important”.

Edge and Internet Explorer

Edge and Internet Explorer contained all this month’s Critical rated vulnerabilities. The two Critical vulnerabilities, CVE-2018-0889 and CVE-2018-0932, had the impacts of remote code execution and information disclosure respectively. Both vulnerabilities resulted from object memory mishandling. An attacker attempting to exploit these vulnerabilities would have to host maliciously crafted content on a web server, and convince the victim to visit that server via phishing or social engineering.

Adobe Flash Player

As usual the Adobe Flash Player lives on in infamy with bugs needing to be fixed. The latest round involves fixing two Remote Code Execution vulnerabilities that Adobe rates as Critical. The vulnerabilities result from a Use-After-Free object memory error, and a Type-Confusion error. Adobe plans on retiring Flash Player in 2020, but it is advisable to simply remove the software from a system if the system does not require it.


Microsoft Patch Tuesday February 2018

Welcome back to the February 2018 Patch Tuesday. Microsoft has released patches for the Windows Kernel, StructuredQuery, and a host of the usual suspects. In all, there are fixes for 55 known vulnerabilities in this month’s update. Many of the vulnerabilities fixed have a ‘Critical’ security rating, including the Adobe Flash Security Update which fixes a vulnerability that was exploited in the wild. One vulnerability (CVE-2018-0771) was publicly disclosed prior to patching, but it is only rated at a moderate severity.

Kernel

The Windows Kernel has received a handful of fixes. The vulnerabilities that these fixes patch allow for a successful exploit to elevate an attacker’s privileges on a system and disclose sensitive information that could further compromise an affected system. The vulnerabilities revolve around object memory mismanagement at the kernel level. Microsoft rates these vulnerabilities as “Important.”

Scripting Engine

The Scripting Engine has 11 Critical vulnerabilities and 1 Important vulnerability patched this month. The engine is responsible for some object memory management in Microsoft Edge. When that engine mismanages maliciously crafted content, the Edge browser could be leveraged to execute an attacker’s code remotely. None of these vulnerabilities were known to be exploited or disclosed before the patch was made available.

Office

Office makes its regular Patch Tuesday appearance. This month Outlook contains a Critical remote code execution vulnerability. An attacker would exploit this vulnerability by convincing the user to open a maliciously crafted attachment in an affected version of Microsoft Outlook, and then after opening it the attacker’s code would be executed. Excel also has a remote code execution vulnerability, but it is only rated as Important. The code would have the same security context as Outlook or Excel, giving us a gentle reminder to exercise the principal of least privilege.

Edge and Internet Explorer

Microsoft’s browsers make the usual appearance, but this time with some interesting flare. One vulnerability for Edge was disclosed prior to patching that would allow for security features in the browser to be bypassed by attackers. To Microsoft’s knowledge, there have been no exploits of this vulnerability in the wild. Both Edge and Internet Explorer contain Information Disclosure vulnerabilities that would give an attacker access to potentially sensitive information on the system. One of these information disclosure vulnerabilities was rated as Critical by Microsoft, the rest are rated as Important.

Adobe Flash Player

Adobe has released a fix for a Remote Code Execution vulnerability that was being exploited in the wild. The attack is being used in limited, targeted attacks against Windows users. The attacks are known to leverage Office documents with embedded malicious Flash content that are distributed via email. Microsoft rates this vulnerability as Critical, and users should be advised to apply the patch as soon as possible.


Microsoft Patch Tuesday – January 2018

Happy new year! While most of the world gets back on its feet from the eggnog induced holiday stupor, the world of cybersecurity spins on. Microsoft has released patches for some particularly interesting and popular vulnerabilities this month, which go by the name of ‘Meltdown’ and ‘Spectre’. Both have been widely circulated in the media, and hopefully this post can clear up any misconceptions surrounding those vulnerabilities while also informing about the rest of the vulnerabilities from this Patch Tuesday.

Kernel

Windows Kernel received an update for the ‘Meltdown’ vulnerability. This vulnerability allows for an attacker to receive information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability would be able to map the kernel’s exact memory location, the knowledge of which could eventually lead to an elevation of privilege or complete system compromise. Microsoft rates the two vulnerabilities patched in the Kernel as Important.

SMB Server

Windows SMB Server received an update for a vulnerability that could allow a local attacker to elevate their privileges. An attacker would have to log onto the system and then run a malicious application to take control of the system. The update addresses the vulnerability by correcting how the SMB Server handles these files.

Adobe Type Manager Font Driver

Separate from the Adobe patch this month, there was also a patch for the Adobe Type Manager Font Driver, known as ATMFD.dll on Windows systems. The driver could fail to properly handle objects in memory, which would cause it to disclose potentially sensitive information. This vulnerability could not be used to elevate privileges or execute code directly, but could be used to further compromise an affected system. Microsoft rates this vulnerability as Important.

Windows GDI

Windows GDI contained a win32k information disclosure vulnerability that would leak kernel memory addresses. An attacker who successfully exploited the vulnerability could obtain information as to the kernel memory layout, and bypass the Kernel Address Space Layout Randomization similar to the ‘Meltdown’ vulnerability. This information does not allow a user to elevate privileges or execute code directly, but could be leveraged to further compromise an affected system. Microsoft rates this vulnerability as Important.

Microsoft Color Management

The Color Management Module (ICM32.dll) received a fix for an information disclosure vulnerability. When mishandling objects in memory, the module could expose information that could be leveraged to bypass usermode Address Space Layout Randomization. The information could be used to further compromise an affected system, but could not be used directly to elevate privileges or execute code. An attacker attempting to exploit the vulnerability would have to conduct a ‘phishing’ attack by luring the victim to a maliciously crafted website, uploading malicious content to a frequently visited website, or sending a malicious email. Microsoft rates this vulnerability as Important.

Microsoft Edge / Internet Explorer

Microsoft’s web browsers received a fix for the ‘Spectre’ vulnerability this month. Microsoft released a special advisory (ADV180002) to inform customers about speculative execution side-channel vulnerabilities like ‘Spectre.’ The most significant part of these updates is that after applying the patches, there is a performance impact. Depending on the age of your device, the impact may not be noticeable. However, the impact varies by the hardware generation and implementation by the chip manufacturer. These speculative execution side-channel vulnerabilities can be used to read the content of memory across a hardware-level trusted boundary, and can therefore lead to information disclosure. The mitigations and fixes are aimed at preventing attackers from triggering the weakness in the CPU which could allow the contents of memory to be disclosed. Microsoft rates these vulnerabilities as Important.

Adobe Flash Player

Adobe received a fix for an out-of-bounds read vulnerability. The vulnerability occurs due to a computation that reads data that is past the end of a target buffer, potentially granting the attacker information that may be sensitive. Microsoft rates this vulnerability as Important.

Microsoft Office

Office received a multitude of fixes for various products. In total, there were 17 separate vulnerabilities addressed, the worst of which is rated Critical by Microsoft. An attacker exploiting these vulnerabilities would be able to remotely execute code by luring a victim to view malicious content via traditional web-attack and email vectors. Other vulnerabilities fixed in Office can lead to memory corruption, and a vulnerability in Sharepoint could allow for the elevation of privilege from a local attacker.

.NET Framework

Microsoft’s .NET Framework underwent fixes for four vulnerabilities. These vulnerabilities allow for a Denial of Service attack, Elevation of Privilege, Cross Site Request Forgery, and Security Feature Bypass. The Denial of Service results when XML documents are maliciously crafted, resulting in an application crash. The ASP.NET core project templates could be abused by a local attacker to elevate their privileges. The ASP.NET core also allows attackers to conduct Cross Site Request Forgery, leading victims to malicious websites. The .NET core framework also mishandled certificate validation in specific cases, which could lead to an invalid certificate being marked valid.


Patch Tuesday December 2017

Welcome back to this month’s Microsoft Patch Tuesday. This Patch Tuesday was relatively lightweight, fixing a few issues with Windows systems. In total, 34 vulnerabilities in Windows and related software were addressed. The majority of the vulnerabilities reside in Microsoft’s web browsers, and the out-of-band update for Microsoft’s Malware Protection Engine is included in today’s patches as well.

Exchange

Exchange returns as a familiar face to be patched this round, with a vulnerability that allows for an attacker to perform script or content injection attacks. Such attacks could trick the user into disclosing sensitive information. This attack cloud be used as a pivot to chain an attack with other vulnerabilities in web services. This vulnerability is rated as Important.

Office

The usual office products require patching, hosting a handful of vulnerabilities. Excel received a fix for remote code execution, allowing an attacker to execute code with the security context of Excel. PowerPoint received a fix for an information disclosure vulnerability that could expose memory contents to an attacker, assisting them in further compromising an affected system. SharePoint received a fix for cross-site scripting, which would have allowed attackers to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the SharePoint site on behalf of the user, and inject malicious content in the browser of the user. These vulnerabilities are rated as Important.

Routing and Remote Access

Making an unusual appearance is Windows RRAS, which exists when a RPC server has Routing and Remote Access enabled. An attacker leveraging this vulnerability would be able to execute code on the target system with full user rights. Routing and Remote Access is an elective configuration, so systems without it enabled are not vulnerable. This vulnerability is rated as Important.

Windows Protocol Handler

Windows ‘its://’ protocol handler unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL. This could potentially result in disclosing sensitive information to a malicious site. An attacker who tricked a user into using this protocol handler on a malicious site could use the disclosed NTLM hash to brute-force the corresponding hash password. This vulnerability is rated as Important.

Edge and Internet Explorer

As mentioned earlier, most of the patches from this Patch Tuesday are for Edge and Internet Explorer. These vulnerabilities reside in the Microsoft Scripting Engine in the browser that can exploit improper memory sanitization. The attacker would be able to execute code with the security context of the affected web browser. Microsoft rates these vulnerabilities as everything from Low to Critical.

Adobe Flash Player

As usual, Adobe has released fixes for Flash Player. The Adobe advisory describes the vulnerability as a ‘Business Logic Error’ where an unintended reset of a global settings preference file can occur. An attacker leveraging this vulnerability may be able to bypass elective security features. Adobe rates the vulnerability as Moderate, while Microsoft rates the vulnerability at Critical.


Microsoft Patch Tuesday – November 2017

Welcome back to this month’s Microsoft Patch Tuesday. This Patch Tuesday fixed many known issues with Windows systems. In total, 139 separate vulnerabilities were addressed in this month’s patch. Microsoft Edge and Internet Explorer contained the only ‘Critical’ rated vulnerabilities, for which there were 16 and 8 in total respectively.

Microsoft JET Database
This month’s patch fixed an issue where applications based on the Microsoft JET Database Engine would encounter an error when creating or opening Microsoft Excel .xls files. The error from this issue would read: “Unexpected error from external database driver (1). (Microsoft JET Database Engine)”. This vulnerability was rated as Important.

Font Engine
Microsoft has addressed an information disclosure vulnerability for the Windows Embedded OpenType Font Engine. An attacker who successfully exploited this vulnerability could potentially read data that was intended to be disclosed. While on its own this information cannot be used to elevate privileges or execute commands, the information could be used on a compromised system to further compromise the system.

Windows Search
A denial of service vulnerability exists when Windows Search encounters an error handling objects in memory. An attacker who exploited this vulnerability could cause a remote denial of service on a system. To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service, or through an unauthenticated SMB connection. Microsoft has rated this vulnerability as Important.

Internet Explorer 11 and Edge
Bearing the most critical vulnerabilities, IE11 and Edge contain vulnerabilities that allow for Information Disclosure and Remote Code Execution. An attacker would leverage vulnerabilities in the browser’s scripting engine to execute code with the context of the current user. An attacker would have to lure the victim to a malicious website, or take advantage of a compromised website.

Kernel
Patch Tuesday wouldn’t be the same without some Kernel fixes. An issue that allows for Information Disclosure due to improper memory initialization was patched for all Windows systems. An attacker would have to be authenticated and capable of running a specially crafted application to exploit this vulnerability. This vulnerability was rated as Important.

Microsoft Office
Microsoft Office comes bearing its usual host of vulnerabilities, the worst of which allows for Remote Code Execution. An attacker leveraging these vulnerabilities would be able to execute code with security context equal to that of the current user. This is another reminder that we should all exercise the principals of least-privilege when using applications. These vulnerabilities are rated Important.

Adobe Flash Player
Returning to Patch Tuesday after a one-month break due to a delay in patch availability, fixes to Adobe Flash Player are once again available. In total, five separate vulnerabilities were fixed. An attacker leveraging these vulnerabilities would be able to execute arbitrary code with the context of the affected application. Adobe has rated these vulnerabilities as Critical.


Microsoft Patch Tuesday – October 2017

Welcome back to this month’s Patch Tuesday. This month brings fixes to the usual suspects and one interesting product with trivial ease of exploit. Three critical Windows DNS client vulnerabilities were patched that allowed an attacker to send simple DNS queries with malicious code and gain arbitrary code execution. These vulnerabilities were privately disclosed and are not known to be exploited publicly. However, a vulnerability patched in Office was exploited in the wild.

DNS
This vulnerability is somewhat alarming, as an attacker would only need to be on the same local network or in a man-in-the-middle position to take over a Windows system acting as a DNS server. The vulnerability stems back to the introduction of DNSSEC in Windows starting with Windows 8 via the DNSAPI.dll library. The NSEC3 resource unsafely parses its records, which allows for attackers to leverage the weakness and send their own malicious code with the DNS request. Microsoft rates this vulnerability as Critical, and advises that all admins patch immediately.

Kernel
Returning as a routine face for Patch Tuesday, the Kernel comes bearing vulnerabilities that could allow for attackers to gain information on the system. These vulnerabilities revolve around how objects in Kernel memory are (mis)handled. An attacker would have to log onto a system or obtain code execution like the DNS vulnerability, and then run a specially crafted application to gain this information. The information could then be used to bypass Kernel Address Space Layout Randomization (ASLR). These vulnerabilities are rated as Important by Microsoft.

Office
As usual, the vulnerabilities from malicious use of Microsoft Office rear their ugly heads. Attackers using maliciously crafted files would be able to obtain remote code execution if they lured a victim into opening the file. Always be sure to verify the integrity the sender of a file sent via email to protect yourself from these kinds of attacks. One vulnerability (CVE-2017-11826) for Microsoft Word was exploited in the wild. Yang Kang, Ding Maoyin and Song Shenlei of Qihoo 360 Core Security reported this vulnerability to Microsoft. Microsoft rates this vulnerability as Important, but since this vulnerability has been exploited in the wild it is important that all users patch as soon as possible.

JET DB
A somewhat unfamiliar face on Patch Tuesday, Microsoft’s JET DB Engine contained two buffer overflows that could allow remote code execution on an affected system. These vulnerabilities have not been reported to be exploited in the wild. To exploit the vulnerabilities, an attacker would have to open or preview a maliciously crafted Excel file while using an affected version of Windows. Microsoft rates these vulnerabilities as Important.

Graphics
Graphics comes bearing two remote code execution vulnerabilities. These vulnerabilities stem from the use of maliciously crafted embedded fonts. Attackers exploiting these vulnerabilities could then install programs, view, change or delete data. These vulnerabilities have not been reported to be exploited in the wild. Microsoft rates these vulnerabilities at Critical, and urges admins patch as soon as possible.

SMB
Microsoft Server Message Block (SMB) has three fixes for vulnerabilities this month. One of these vulnerabilities is for SMBv1, which is the same format that WannaCry exploited. Microsoft states that these vulnerabilities have not been exploited in the wild, but that exploitation of the SMBv1 vulnerability is likely. To exploit the vulnerability, an attacker would only have to send a specially crafted packet to a targeted SMBv1 server. The other two vulnerabilities allow for Denial of Service, and Information Disclosure to authenticated users. Microsoft rates these vulnerabilities as important.

Shell
A vulnerability in Windows Shell that could be exploited via content viewed in Internet Explorer was patched. Microsoft has stated that while this vulnerability has not been exploited in the wild, exploitation of this vulnerability is more likely that usual. This is likely due to the ease of propagation of this exploit. An attacker would have to host a malicious website, or upload malicious content to a website that accepts or host user-provided content, and then lure a victim to the website. The attacker would gain rights equal to that of the current user, meaning victims that are logged in as an administrator would grant the attacker the ability to take full control over the system. Microsoft rates this vulnerability as critical.


Microsoft Patch Tuesday – September 2017

Welcome back to this month’s Patch Tuesday. This month patches some usual suspects, with not much out of the ordinary. However, Microsoft did release a large number of fixes for those usual software and firmware suites. In total, over 85 separate vulnerabilities were fixed, if we include the Adobe fixes.

Windows Kernel

The Windows Kernel makes its usual appearance, with four vulnerabilities that need patching. All of these vulnerabilities revolve around the way that objects are handled in Kernel memory. Successful exploitation of these vulnerabilities would lead to information disclosure that by themselves would not compromise a system, but would assist an attacker seeking to further compromise an already affected system. These vulnerabilities are all rated as Important by Microsoft.

Office

After a few months of relatively quiet fixes for Office, the software suite is back bearing many new vulnerabilities to be fixed. Researchers from organizations such as Google, McAfee, Offensive Security, MSRC, and Cerberus Security exposed so many vulnerabilities that Microsoft released 54 Knowledge Base articles to address them all. If exploited, attackers would be able to Deny Service and Remotely Execute code with privileges equal to that of the current user. The most severe of these vulnerabilities are rated Critical.

Internet Explorer and Edge

As usual, Microsoft’s browsers need some patches for a few vulnerabilities. These vulnerabilities range in severity from Critical to Important. Exploiting these vulnerabilities would allow an attacker to execute arbitrary code with the context of the current user. This is yet another reminder that we should exercise the principals of least privilege while browsing the web.

.NET

This month .NET was host to a large number of fixes. Microsoft issued ten Knowledge Base articles for the various fixes to vulnerabilities in .NET. Attackers leveraging these vulnerabilities would be able to Deny Service and Remotely Execute code with privileges equal to that of the current user. The most severe of these vulnerabilities are rated Critical.

Adobe Flash Player

Adobe Flash Player returns with two vulnerabilities. These updates address two critical memory corruption vulnerabilities that could lead to code execution. These vulnerabilities are rated Critical by Microsoft.

Exchange

Exchange requires patching for vulnerabilities this month. An attacker who exploited these vulnerabilities would be able to elevate their privileges or commit spoofing attacks. Typical attack vectors would include social engineering and email containing malicious links. Microsoft rates these vulnerabilities as Important.


Microsoft Patch Tuesday – August 2017

It’s that time for Microsoft Patch Tuesday August 2017. This month patches some usual suspects, with only a few out of the ordinary products and services receiving fixes. Examples of those products and services would be NetBIOS, Windows CLFS, and the JET DB Engine.

Windows Kernel

The Windows Kernel has been patched for multiple Information Disclosure vulnerabilities. While these vulnerabilities themselves do not compromise the victim system, they do provide information that could aid an attacker’s ongoing compromise of a system. As usual, the vulnerability revolves around improper initialization of objects in kernel memory. Microsoft has rated this vulnerability as Important.

Office

Office was unusually quiet this month, bearing only an update for Sharepoint 2010. Sharepoint had a vulnerability that could allow an attacker to conduct cross-site scripting (XSS) attacks on affected systems and run script in the security context of the current user.

Internet Explorer and Edge

Microsoft’s web browsers bear vulnerabilities very similar to last month’s, hosting multiple memory corruption vulnerabilities in javascript. An attacker who exploited these vulnerabilities by luring the user to view malicious content would be able to remotely execute commands on the victim’s system, view memory contents, and create user accounts with privileges equal to that of the victim user. Microsoft rates the most severe of these vulnerabilities as Critical.

Adobe Flash Player

Adobe Flash Player returns with two vulnerabilities. These updates address a critical type confusion vulnerability that could lead to code execution and an important security bypass vulnerability that could lead to information disclosure. These vulnerabilities are rated Critical by Microsoft.

SQL Server

Microsoft’s SQL Server comes bearing vulnerabilities across its version spectrum. The vulnerability pertains to information disclosed when the Server Analysis Services improperly enforces permissions. An attacker could exploit the vulnerability if the attacker’s credentials allow access to an affected SQL server database. Microsoft rates this vulnerability as Important.

Windows Search

Windows Search returns bearing a vulnerability that revolves around improper handling of memory objects. An attacker who successfully exploits this vulnerability could take control of the affected system. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability by sending a malicious message through the SMB connection and then take control of a target computer. Microsoft rates this vulnerability as Critical.

NetBIOS

While Denial of Service is typically a lame form of vulnerability, being able to trigger one from a single malicious packet is worthy of attention. An attacker who successfully exploited this vulnerability could cause a target computer to become completely unresponsive. Microsoft rates this vulnerability as Important.

Windows CLFS

The Windows Common Log File System (CLFS) makes an unusual appearance, with a local vulnerability that allows for elevation of privilege. The vulnerability revolves around improper memory object handling, in which an attacker running a specially crafted application could elevate their privileges. Microsoft rates this vulnerability as Important.

JET DB Engine

The Microsoft JET Database Engine steps into the spotlight with a vulnerability that allows for remote code execution with elevated privilege. An attacker exploiting this vulnerability could take complete control of the target system. Exploitation requires a user open a maliciously crafted database file while using an affected version of Windows. Microsoft rates this vulnerability as Critical.

Express Fonts

Express Compressed Fonts, otherwise known as an embedded font, come bearing a vulnerability that could allow for remote code execution with privileges equal to that of the current user. An attacker has multiple potential vectors in which they can choose to exploit this vulnerability. They could choose to lure a victim to a website that is hosting this maliciously crafted font, or share a file that uses the embedded font to trigger the vulnerability after the user attempts to view its contents. Microsoft rates this vulnerability as Important.

Volume Manager

Have you heard about the vulnerability in the volume manager? Perhaps you need to turn it up! The Volume Manager Extension Driver component improperly provides kernel information when leveraged by a malicious application. An attacker exploiting this vulnerability could gain information that would be useful in further compromising a system. Microsoft rates this noisy vulnerability as Important.

Error Reporting

Evidently, the line “I’d like to report an error in the error report” is not foreign to Microsoft’s ears. Windows Error Reporting (WER) bears a vulnerability that could allow a local attacker to gain elevated privileges on an affected system. To exploit the vulnerability, an attacker would need to run a specially crafted application that leverages the reporting system flaw. Microsoft rates this vulnerability as Important.


Patch Tuesday July 2017

July’s Patch Tuesday resolves 54 vulnerabilities with 19 rated “Critical”, 32 rated “Important” and 3 rated “Moderate”. Aside from the typical IE, Edge, and Office vulnerabilities, a new product makes its way into the Patch Tuesday scene: HoloLens, Microsoft’s “mixed-reality smartglasses.”

Windows Search

Windows Search is returning for its second Patch Tuesday in a row, as it appears with a vulnerability that could allow for elevation of privilege. The vulnerability revolves around corruption of memory objects when Windows Search is supplied with malicious input. An attacker who successfully exploited the vulnerability could potentially be able to install programs, view, change or delete user data, or create user accounts with full privileges. This vulnerability has been rated Critical by Microsoft.

Windows Kernel

The Windows Kernel has been patched for multiple Information Disclosure vulnerabilities. While these vulnerabilities themselves do not compromise the victim system, they do provide information that could aid an attacker’s ongoing compromise of a system. As usual, the vulnerability revolves around improper initialization of objects in kernel memory. Microsoft has rated this vulnerability as Important.

Office

This time Office was not quite as teeming as it usually is, but it did come bearing vulnerabilities to be patched. These vulnerabilities could allow for an attacker to execute code remotely on the victim’s system with privileges equal to that of the victim user. This serves as a persistent reminder to be cautious about opening documents from untrusted sources. Microsoft rates these vulnerabilities as Important.

Internet Explorer and Edge

Microsoft’s web browsers make their usual appearance, hosting multiple memory corruption vulnerabilities in javascript. An attacker who exploited these vulnerabilities by luring the user to view malicious content would be able to remotely execute commands on the victim’s system, view memory contents, and create user accounts with privileges equal to that of the victim user. Microsoft rates the most severe of these vulnerabilities as Critical.

.NET Framework

Returning to the spotlight, .NET comes bearing a vulnerability that allows for remote code execution. When parsing a maliciously crafted embedded font, the Windows font library would mishandle the font and allow for an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Additionally, the .NET Framework would fail to properly validate input before loading a library, allowing an attacker to take control of an affected system. Microsoft has rated the first vulnerability as Critical, and the second as Important.

Microsoft Exchange Server

Exchange comes this Patch Tuesday bearing three vulnerabilities. The first two vulnerabilities allow for Cross-Site-Scripting in Outlook-Web-Access when it fails to properly handle web requests. The third allows for an attacker to spoof a legitimate site, which would make it easier for the attacker to trick the user into entering sensitive information into the fake website, including credentials. These updates are rated as Important and Moderate respectively.

Adobe Flash Player

Adobe Flash Player returns with three vulnerabilities. These vulnerabilities have an impact of allowing for a remote attacker to be able to execute code remotely, read memory addresses, and obtain system information. These vulnerabilities are rated Critical by Microsoft.

Microsoft Hololens

Everyone loves their flashy new VR headsets, right? Well Microsoft is releasing a patch for a previously publicly known vulnerability that had not yet been exploited for the Hololens. An attacker could send specially crafted Wi-Fi packet that causes code to be executed remotely. This vulnerability requires no authentication at all, and would afford the attacker system privileges. Microsoft rates this vulnerability as Critical.

Windows Explorer

Windows Explorer might not seem like the most obvious attack vector, but it has come bearing a vulnerability that could be exploited via social engineering. An attacker could attempt to lure a victim into unintentionally opening a malicious executable that would allow for remote code execution. The code would execute with the same privileges as the user, so less privileged users would be less affected by this vulnerability. Microsoft has rated this vulnerability as Important.


Patch Tuesday June 2017

Microsoft Patch Tuesday June 2017 addresses 96 unique vulnerabilities within Microsoft Windows, Office, Skype, Internet Explorer, and the Edge browser. Of these vulnerabilities, 18 are rated Critical, 76 Important, one Moderate, and one Low severity. In addition, unsupported OSes received patches due to heightened risk of exploitation, making this Patch Tuesday particularly interesting.

Silverlight

Silverlight makes a return this Patch Tuesday, with a vulnerability that allows for remote code execution if a user visits a compromised website. The vulnerability revolves around how the uniscribe component handles objects in memory, and an attacker who successfully exploits the vulnerability could potentially install programs; view, change or delete user data; or create user accounts with full privileges. This vulnerability is rated Critical by Microsoft.

Windows Search

Windows Search is an unusual face on Patch Tuesday, as it appears with a vulnerability that could allow for information disclosure or remote code execution. The vulnerability deals with the corruption of memory objects when Windows Search is supplied with malicious input. An attacker who successfully exploits could potentially install programs; view, change or delete user data; or create user accounts with full privileges equal to that of the victim user. This vulnerability is rated Critical by Microsoft.

Windows Kernel

The Windows Kernel was patched for multiple Information Disclosure vulnerabilities. While these vulnerabilities themselves do not compromise the victim system, they do provide information that could aid an attacker’s ongoing compromise of a system. As usual, the vulnerability involves improper initialization of objects in kernel memory. Microsoft rated this vulnerability as Important.

Office

It wouldn’t be a Patch Tuesday without discussing Office, however this Patch Tuesday introduces a particularly large number of fixes for Office. These vulnerabilities could allow for an attacker to execute code remotely on the victim’s system with privileges equal to that of the victim user. This serves as a persistent reminder to be cautious about opening documents from untrusted sources. Microsoft rates these vulnerabilities as Important.

Skype

Skype makes an appearance this Patch Tuesday with a vulnerability that allows for remote code execution if a user is lured into viewing malicious content. Like Silverlight, the vulnerability revolves around how the uniscribe component handles objects in memory, and an attacker who successfully exploits the vulnerability could potentially install programs; view, change or delete user data; or create user accounts with full privileges. This vulnerability is rated Critical by Microsoft.

Internet Explorer and Edge

Microsoft’s web browsers make their usual appearance, hosting multiple memory corruption vulnerabilities. An attacker who exploits these vulnerabilities by luring the user to view malicious content would be able to remotely execute commands on the victim’s system, view memory contents, and create user accounts with privileges equal to that of the victim user. Microsoft rates the most severe of these vulnerabilities as Critical.

Graphics

Windows Graphics was patched for a remote code execution vulnerability. The vulnerability stems from the Windows font library improperly processing embedded fonts. An attacker who successfully exploits this vulnerability could take control of the affected system with privileges equal to that of the victim user. Microsoft has rated this vulnerability as Critical.

Legacy OS Patches

In an unusual twist, Microsoft released patches for legacy OSes – such as Windows XP, Vista, Server 2003, and Windows 8 – to address the most severe vulnerabilities suspected to be leveraged by state-sponsored attackers. Microsoft makes it clear that this will not be a change in policy about any OS they consider unsupported. They are releasing this patch to shore up the Internet’s overall security for users who cannot or refuse to update to supported operating systems. While these patches do resolve some vulnerabilities, there are still numerous vulnerabilities on these legacy systems that remain unpatched. Users should still upgrade to a supported operating system, if possible.


Patch Tuesday May 2017

Microsoft’s Patch Tuesday this May addresses 14 critical-rated and 41 important-rated vulnerabilities, bringing the overall count to 55. Of these, three were actively being exploited, involving Internet Explorer (CVE-2017-0222), Office (CVE-2017-0261), and Win32K (CVE-2017-0263), therefore it’s especially important to ensure that these particular patches are applied.

Internet Explorer Memory Corruption Vulnerability

A vulnerability in Internet Explorer’s handling of objects in memory has been patched. This vulnerability requires that a victim be lured to a malicious website by an attacker, or for a malicious ad to be placed on a legitimate website. The attacker would gain privileges equal to those of the browser, so it is again time to emphasize the importance of exercising the principals of least-privilege. This vulnerability is actively being exploited in the wild, so users are advised to patch as soon as possible.

Microsoft Office Remote Code Execution Vulnerability

Once again we are reminded that malicious Microsoft Office files can be deadly. This month’s patch fixes a vulnerability in the EPS image file processing methods that allow for remote code execution on the victim’s system. The attacker only has the privileges equal to the user who has opened the malicious file, however reports of this bug being exploited in the wild also account for a combination with an escalation of privilege, affording the attacker complete control over the victim’s system. Since this vulnerability is actively being exploited in the wild, users are advised to patch as soon as possible.

Win32k Elevation of Privilege Vulnerability

The Kernel-Mode-Drivers for Windows have been patched for two vulnerabilities, one of which allows for elevation of privilege and has been coupled with remote attacks to afford attackers complete control over a victim’s system. However, since this vulnerability by itself only has a local attack vector, it is rated as important instead of critical. Since this vulnerability is actively being exploited in the wild, users are advised to patch as soon as possible.

Windows DNS Server Denial of Service Vulnerability

While not as glamorous as a vulnerability that takes complete control over a system, a Denial of Service vulnerability can be devastating if applied on the appropriate part of a network’s infrastructure. One such critical component is the DNS Server. Without the ability to resolve hostnames via DNS, networks would no longer be able to communicate and the potential business cost could be catastrophic. This vulnerability has not been reported to be exploited in the wild.

Windows Kernel Information Disclosure Vulnerability

The Windows Kernel makes its usual appearance on Patch Tuesday, as a vulnerability that allowed for attackers to gain sensitive information from memory contents has been patched. The vulnerability stems from how the Windows Kernel handles objects in memory. While benign on its own, this vulnerability would allow an attacker to gain information that could further compromise an affected system. This vulnerability has not been reported to be exploited in the wild.

Windows COM Elevation of Privilege Vulnerability

A vulnerability in the Windows COM Aggregate Marshaler was patched that allowed for local attackers to gain elevated privileges on the system. The vulnerability by itself does not allow for code execution, but when used in conjunction with another remote vulnerability the attacker could execute code with higher privileges, like other vulnerabilities that were being actively exploited and patched this month. This vulnerability has not been reported to be actively exploited in the wild.

Microsoft ActiveX

ActiveX is patched for one vulnerability which could lead to information disclosure, allowing an attacker to gain access to protected memory regions. To successfully exploit this, the attacker would need to convince a user to open a specially crafted document, which does limit the vulnerability’s overall exposure.

Windows Graphics Information Disclosure Vulnerability

As usual, Patch Tuesday is graced by the presence of Windows Graphics, as its vulnerabilities rear their ugly heads to the world. This vulnerability allowed attackers to gain information on the system from a mishandling of memory objects. By itself this vulnerability does not allow an attacker to execute arbitrary code, but could allow the attacker to do so if used in conjunction with another vulnerability that utilizes the information that was leaked. This vulnerability has not been reported or actively exploited in the wild.

Windows SMB

SMB was hit hard this time around with 14 vulnerabilities being addressed, four of which are critical severity and ten important severity. The critical vulnerabilities stem from how SMB handles certain requests which can allow an attacker to execute arbitrary code.

.Net Framework

.Net is back this month with a security feature bypass caused by certificates not being properly validated. In this case, an attacker could present a certificate marked as invalid for specific use, however the component will still utilize it for that purpose.

Adobe Flash Player

Last, but not least, Microsoft’s Flash update addresses seven vulnerabilities related to Adobe’s APSB17-15 advisory. Six vulnerabilities involve memory corruptions and the other is due to a use-after-free issue, all of which can allow an attacker to execute arbitrary code.


Patch Tuesday March 2017

Patch Tuesday is back with a vengeance this month clocking in with 18 bulletins in total, with 8 rated as critical. Notable bulletins include a fix for Windows’ GDI library which was initially patched back in June of last year, however the fix was incomplete and is now supposedly addressed. Additionally, and to no one’s surprise really, IE and Edge receive hefty patches addressing 12 and 32 vulnerabilities, respectively. This is one patch cycle you won’t want to miss!

MS17-006: Cumulative Security Update for Internet Explorer (4013073)

After stocking up vulnerabilities for one month longer than usual in Internet Explorer, Microsoft has released a critical update to fix numerous security issues. Many of the vulnerabilities, CVE-2017-0008, CVE-2017-0037, CVE-2017-0012, CVE-2017-0033, and CVE-2017-0154, were publicly disclosed prior to this patch. The good news is, now with this patch you can protect your systems from these vulnerabilities. Most of these vulnerabilities would require the victim to be tricked into viewing malicious content. The security update addresses the vulnerabilities by correcting how the affected components handle objects in memory.

MS17-007: Cumulative Security Update for Microsoft Edge (4013071)

Edge has returned with critical remote code execution vulnerabilities to be patched. The most critical vulnerabilities stem from the scripting engine’s memory handling. By viewing maliciously crafted content Edge can execute code with privileges equal to that of the current user. This is another reminder to exercise the principals of least privilege.

MS17-008: Security Update for Windows Hyper-V (4013082)

Windows Hyper-V makes an unusual appearance on Patch Tuesday. Windows Hyper-V is the virtualization libraries used by Windows to run and create virtual machines. An attacker on the guest operating systems could cause code execution on the host systems if they ran a specially crafted application. This security update adds additional validation to the guest operating system’s user input, protecting the host from a malicious guest. One of these vulnerabilities, CVE-2017-0097, which lead to a denial of service on the host was publicly disclosed prior to this patch.

MS17-009: Security Update for Microsoft Windows PDF Library (4010319)

Microsoft Windows PDF Library was found to have a critical memory corruption vulnerability. When leveraged to view malicious PDF content, an attacker could execute arbitrary code on the system with the context of the current user. Only Windows 10 systems with Microsoft Edge set as the default browser could be compromised simply by viewing the website. If Edge was not the victim’s default web browser they would have to be socially engineered into viewing the content specifically with Edge to leverage the appropriate PDF Library.

MS17-010: Security Update for Windows SMB Server (4013389)

Windows SMB Server comes loaded with critical vulnerabilities this Patch Tuesday. Most of the vulnerabilities allow for remote code execution, and one allows for information disclosure. None of these vulnerabilities were publicly disclosed prior to release of this patch. To exploit these vulnerabilities an attacker could send a specially crafted packet to a targeted SMBv1 server on a connected network. This patch corrects how the SMBv1 server handles these packets.

MS17-011: Security Update for Microsoft Uniscribe (4013076)

Microsoft Uniscribe comes to Patch Tuesday teeming with vulnerabilities. An attacker can remotely execute arbitrary code, and obtain information on the target system. Despite having 30 CVEs associated with this patch, none of these vulnerabilities were disclosed publicly prior to the patch. Most of these vulnerabilities are resolved by changing how Uniscribe handles objects in memory. Accounts with less user rights are less affected by these vulnerabilities, providing a strong reminder to exercise the principals of least privilege whenever possible.

MS17-012: Security Update for Microsoft Windows (4013078)

It wouldn’t be Patch Tuesday without patches for Windows itself. Multiple vulnerabilities were discovered, and the most severe of which could allow remote code execution if an attacker runs a specially crafted application that connects to an iSNS Server and then issues malicious requests to the server. Fortunately, that flaw was not publicly disclosed prior to this patch. However, CVE-2017-0016 which leads to a denial of service was publicly disclosed prior to this patch.

MS17-013: Security Update for Microsoft Graphics Component (4013075)

Making its usual appearance, Microsoft Graphics Components comes with a host of vulnerabilities to be patched. The most severe of these vulnerabilities could lead to remote code execution. Local attackers can also escalate their privilege, and attackers can discover information on the target system. One of these vulnerabilities, CVE-2017-005 was not publicly disclosed, but was exploited in the wild. That exploit allowed for privilege escalation of local users.

MS17-014: Security Update for Microsoft Office (4013241)

As usual, Microsoft Office has numerous routine fixes this month. The most severe of the vulnerabilities patched could allow remote code execution. Of the vulnerabilities that were patched, only one Denial of Service vulnerability was publicly disclosed prior to patching. Microsoft typically does not patch Denial of Service in Office, since it translates to a benign application crash. Does this mean that more security researchers will post their Denial of Service proof of concept files publicly to gain notoriety? Only time will tell.

MS17-015: Security Update for Microsoft Exchange Server (4013242)

This month with see a flaw in Microsoft Exchange Outlook Web Access. Exchange is fails to properly handle specially crafted web requests, which could lead to an attacker acquiring of sensitive information. An attacker can either send an email to a user with either a malicious link or attachments. This vulnerability does require the user to click the link or attachment. As we have observed from the past year, these type of phishing attacks have proven to be very successful.

MS17-016: Security Update for Windows IIS (4013074)

Microsoft IIS server has patched one vulnerability this month. It has been found that IIS server fails to properly sanitize a request that been specially crafted. In this situation, an attacker would use a cross-site scripting attack to run a script with the context of the current user. This could lead to an attacker reading sensitive data, preform actions on behalf of victim, and injection of malicious content.

MS17-017: Security Update for Windows Kernel (4013081)

Microsoft has cleaned up a handful of vulnerabilities in Windows Kernel. There are four vulnerabilities discovered in total this month. Attackers who successfully exploit these could gain elevated privileges or run processes in elevated context. Correcting how the kernel validates API input and buffer lengths addressed two of the vulnerabilities. The other two were cleaned up by correcting issues with how Kernel API and Transaction Manager handles objects in memory.

MS17-018: Security Update for Windows Kernel-Mode Drivers (4013083)

Vulnerabilities with Windows Kernel-Mode Drivers are always a serious issue. This month we’ve seen a particularly dangerous vulnerability pop up that could lead to an attacker taking control of the affected system. An attacker could construct a special application that could exploit how the kernel-mode driver handles objects in its memory. An attacker who runs arbitrary code could install programs or even delete data. Microsoft again solved this by correcting the flaw in how objects are handled in memory.

MS17-019: Security Update for Active Directory Federation Services (4010320)

It is always good sign to see active directory being tested for vulnerabilities. Many rely on active directory to provide administration for most of our networks. This month, Microsoft has fixed an information disclosure vulnerability in Active Directory Federation Services. An attacker could make a fake request to an ADFS server and get sensitive information in return. Microsoft added an additional verification check to solve this issue.

MS17-020: Security Update for Windows DVD Maker (3208223)

Windows DVD Maker enters the scene with a cross-site request forgery vulnerability. This is a good sign since it shows effort that security is being looked across all Microsoft products. This vulnerability was not previous published or exploited. When DVD Maker fails to properly handle msdvd files and allows attackers to obtain information that can be used to compromise the system further.

MS17-021: Security Update for Windows DirectShow (4010318)

DirectShow has an information disclosure vulnerability in the way it handles objects in memory. This application has been known for remote code execution in the past but looks to be sealing up some flaws. This one was not publicly disclosed or exploited in the wild. An attacker who exploited this could gain information to further compromise the system.

MS17-022: Security Update for Microsoft XML Core Services (4010321)

Microsoft XML core services was found to have informational disclosure vulnerabilities. Microsoft addressed these by altering how MSXML handles objects in memory. This is exploited by visiting a compromised website, after which would allow an attacker to query the existence of files on the system. This has been exploited in the wild but has not been publicly disclosed prior to patching.

MS17-023: Security Update for Adobe Flash Player (4014329)

Adobe released their monthly patch to address seven vulnerabilities, with six of these leading to remote code execution. We see recurring ways in which flash is being exploited through buffer overflow, memory corruption, and use-after-free attacks. It’s scary to think that a machine which is out of date for only a month would be so full of holes, but then again, it’s Flash we’re talking about here.


Patch Tuesday January 2017

A new year of course brings with it a new Patch Tuesday. This month, Microsoft has released only four bulletins consisting of one critical and three important-rated advisories. In total, 15 unique vulnerabilities were addressed, the majority of which are related to Adobe Flash Player. With that said, let’s dive into the bulletins.

MS17-001: Security Update for Microsoft Edge (3214288)

Kicking off the new year, surprisingly isn’t Internet Explorer, but Edge. This bulletin is important-rated and resolves an issue related to cross-domain policies, which can lead to privilege elevation. An attacker can potentially access information from one domain and inject it into another domain through the about:blank page.

MS17-002: Security Update for Microsoft Office (3214291)

Making its regular appearance, Office has only one vulnerability this month. Don’t think that means we’re letting Office get off easy, the vulnerability results in remote code execution and is rated important by Microsoft. The vulnerability stems from the usual object memory mismanagement. A successful exploit would execute code with privileges in context with the current user. Be sure your new year’s resolution involves exercising the principal of least privilege.

MS17-003: Security Update for Adobe Flash Player (3214628)

As usual, Adobe Flash Player is teeming with fixes this month. This bulletin has a Critical rating, since Remote Code Execution is possible. There are multiple vectors of attack from which an attacker can exploit a victim through these vulnerabilities. In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website, or leverage an already compromised website. There are mitigations that can be taken to blunt the damage an attacker could do to your system, the most effective being to disable Adobe Flash Player from running in IE or Edge.

MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)

Probably the only unusual face on this patch Tuesday, the Local Security Authority Subsystem Service does have a denial of service vulnerability. An attacker could trigger LSASS by sending a specially crafted authentication request, which would result in a malfunction that would initiate an automatic reboot of the system. This vulnerability is rated as Important by Microsoft, since its impact is only denial of service.


Patch Tuesday December 2016

In this final Patch Tuesday of the year, Microsoft provides a total of 12 bulletins addressing vulnerabilities within the typical products such as IE, Edge, and Office. Some new faces also make an appearance with Uniscribe and The Auto-Updater for Office On Mac systems. Out of the 12 bulletins, half are rated critical while the other half are rated important.

MS16-144: Cumulative Security Update for Internet Explorer (3204059)

Starting things off, Internet Explorer is patch for a total of 8 vulnerabilities consisting of 4 memory corruptions, 3 information disclosures, and a security feature bypass. The memory corruptions are the most severe, which can allow remote attackers to execute arbitrary code by hosting a malicious website and convincing a victim to browse to it.

MS16-145: Cumulative Security Update for Microsoft Edge (3204062)

Up next, Edge is patched for even more vulnerabilities than IE, clocking in with 11 vulnerabilities total consisting of 7 memory corruptions, 3 information disclosures, and 1 security feature bypass. Again, the most severe of these are the memory corruption vulnerabilities, making this bulletin critically-rated.

MS16-146: Security Update for Microsoft Graphics Component (3204066)

As a returning usual suspect, more vulnerabilities have been found in Microsoft Graphics Component. The worst of these vulnerabilities could result in Remote Code Execution, and one vulnerability discloses information as to the graphic’s memory contents. There are multiple ways in which an attacker can exploit this vulnerability, they can convince a user to open a crafted document, or visit a malicious webpage. This update applies the usual memory handling remedies to solve the problem.

MS16-147: Security Update for Microsoft Uniscribe (3204063)

As a new face on Patch Tuesday, Microsoft Uniscribe has been found to contain a critical vulnerability that could lead to remote code execution. Since this is a new face, an introduction is in order. Uniscribe is a set of APIs that allow a high degree of control for fine typography and for processing complex scripts. Both complex scripts and simple scripts with fine typography effects require special processing to display and edit because the characters (“glyphs”) are not laid out in a simple way. For complex scripts, the rules governing the shaping and positioning of glyphs are specified and catalogued in The Unicode Standard. In short, Uniscribe is a font processing API for Unicode based fonts. An attacker could exploit this vulnerability by either luring a victim to a malicious website, or view a malicious website.

MS16-148: Security Update for Microsoft Office (3204068)

This bulletin resolves a whopping 11 Office vulnerabilities consisting of 4 memory corruptions, a DLL side-loading vulnerability, 3 security feature bypasses, 2 information disclosures, and a privilege escalation for the auto-updater on Mac systems.

MS16-149: Security Update for Microsoft Windows (3205655)

It wouldn’t be Patch Tuesday without security updates to Windows itself. Windows contains two important-rated vulnerabilities, one for information disclosure and the other for privilege escalation. The information disclosed leaks memory content information to the user when Windows Crypto runs in kernel mode. To exploit this vulnerability, an attacker would have to log onto the system and run a specially crafted application. The escalation of privilege vulnerability results from improper input sanitization that leads to insecure library loading behavior in Windows Installer.

MS16-150: Security Update for Windows Secure Kernel Mode (3205642)

“Secure” Kernel Mode comes bearing a vulnerability as a gift this holiday season. This vulnerability is rated as important, and results in elevation of privilege. Due to improper memory handling, an attacker can violate the VTL (virtual trust levels) of Windows. A locally-authenticated attacker could attempt to exploit the vulnerability by running a specially crafted application on the target system. The update applies the usual memory handling fixes to properly enforce VTL.

MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651)

Microsoft addresses two privilege escalation flaws that exists in the Windows graphics component and kernel mode driver. This is particularly dangerous because of the range of affected operating systems and the ability to take control over the system. In CVE-2016-7259, an attacker would have to craft a special application to take advantage of how the graphics component improperly handles objects in the memory. This could lead to attacker running processes in elevated context. CVE-2016-7260 is less severe because the attacker has to be logged in to the affected system to exploit the vulnerability. After an attacker obtains access, they can run a special application to take advantage on how the kernel-mode driver handles objects in memory. These two vulnerabilities were resolved by Microsoft by addressing how these components handle objects in memory.

MS16-152: Security Update for Windows Kernel (3199709)

Windows Kernel makes a casual appearance this month, containing an important rated information disclosure vulnerability. Kernel Memory Addresses can be leaked when the kernel fails to properly handle certain page fault system calls. An authenticated attacker who successfully exploited the vulnerability could disclose information from one process to another. To exploit the vulnerability, an attacker would have to log on locally to an affected system, or convince a local user to execute a crafted application. The patch changes how the Windows Kernel handles certain page fault system calls.

MS16-153: Security Update for Common Log File System Driver (3207328)

A flaw has been discovered in Common Log File System driver which is the result of CLFS improperly handling objects in its memory. An attacker to could run an application to bypass security and further exploit the machine. Microsoft has fixed this by addressing how CLFS driver handles objects in memory.

MS16-154: Security Update for Adobe Flash Player (3209498)

This bulletin addresses vulnerabilities related to Adobe’s security bulletin APSB16-39 which resolves 16 vulnerabilities within Flash. This bulletin serves as a reminder to be extra careful when following links from emails and other less the trustworthy sources.

MS16-155: Security Update for .NET Framework (3205640)

.NET Framework is patched for an information disclosure resulting from improper handling of developer-supplied keys, which is usually protected by the Always Encrypted feature. An attacker could potentially decrypt data utilizing an easily guessable key.


Patch Tuesday November 2016

November’s Patch Tuesday ushers in a hefty 14 bulletins – 6 critical and 8 important. This cycle marks the second month utilizing the new rollup process for certain operating systems, with Vista and 2008 still requiring individual patching. Curiously, Internet Explorer comes last in the list (it’s usually first), most likely due to the Out-Of-Band patch (MS16-128), which came out in late October.

MS16-129: Cumulative Security Update for Microsoft Edge (3199057)

First off, Edge is patched for a whopping 17 vulnerabilities consisting of 4 memory corruptions within the browser itself, 8 memory corruptions within the scripting engine, 4 information disclosures, and a spoofing vulnerability, making this update one of the largest to date for the Edge browser. Microsoft has, appropriately rated this bulletin as critical as the multiple memory corruptions could result in arbitrary code execution.

MS16-130: Security Update for Windows OLE to Address Remote Code Execution (3143136)

Next up, this bulletin resolves 2 memory corruption vulnerabilities within Windows OLE which can lead to remote code execution. The issue stems from OLE not properly handling objects in memory typically parsed through an embedded file. At the time of this bulletin’s publication, there were no reports of this these vulnerabilities being actively exploited.

MS16-131: Security Update for Microsoft Video Control (3199151)

This bulletin resolves an issue with Microsoft Video Control which can lead to remote code execution, making this critically rated update. To exploit the vulnerability an attacker would have to convince a user to open a specially crafted file or visit a malicious website.

MS16-132: Security Update for Microsoft Graphics Component (3199120)

Graphics components returns to the scene with some interesting vulnerabilities – an information disclosure and memory corruption within Open Type Font parsing, a memory corruption within animation manager, and a memory corruption within Media Foundation. An attacker could leverage these vulnerabilities to execute arbitrary code on a remote system. Microsoft has received reports that the Open Type Font parsing vulnerability was being actively exploited prior to this bulletin being published, so this is an update you do not want to miss.

MS16-133: Security Update for Microsoft Office (3199168)

Up Next, Office undergoes a hefty update resolving an information disclosure, 10 memory corruptions, and a denial of service vulnerability. The memory corruption vulnerabilities are the more severe vulnerabilities because they can potentially lead to remote code execution, making this bulletin critically rated.

MS16-134: Security Update for Common Log File System Driver (3193706)

Bringing a rather unusual face to this Patch Tuesday, multiple vulnerabilities in the Common Log File System Driver have been discovered. All of these vulnerabilities have the same impact, elevation of privilege. To exploit these vulnerabilities, an attacker would first have to gain access to the vulnerable system, and then run a specially crafted application to gain the elevated privileges. To solve this issue, Microsoft has fixed how the Common Log File System Driver handles objects in memory.

MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)

Back to the usual suspects, Kernel-Mode Drivers have returned to Patch Tuesday with an important update that fixes multiple vulnerabilities. The vulnerabilities have impacts of elevation of privilege and sensitive information disclosure. To exploit the vulnerability, an attacker would need to have access to the vulnerable system, and run a specially crafted application to exploit the vulnerability of their choice. Microsoft has once again fixed the issue by applying the usual memory remedies.

MS16-136 – Important: Security Update for SQL Server (3199641)

Another unusual face on this Patch Tuesday, SQL Server has a handful of vulnerabilities. Impact of these vulnerabilities range from elevation of privilege, information disclosure, and cross-site-scripting (XSS). To exploit the XSS vulnerability, the attacker could inject a client-side script into the user’s instance of Internet Explorer, allowing for the attacker to take any action that the user could take on the site. To disclose information, an attacker could supply a malicious file-stream path, causing the SQL server to improperly handle the request and spill the proverbial beans. To elevate privileges, an attacker would need to supply a malicious ACL to atxcore.dll.

MS16-137: Security Update for Windows Authentication Methods (3199173)

Windows Authentication Methods make a semi-casual appearance this Patch Tuesday. The impact of the vulnerabilities discovered range from information disclosure, denial of service, and elevation of privilege. The information disclosure is tied to a memory handling error, and can be exploited by an attacker who runs a specially crafted application. On its own, the information disclosure is not sufficient for an attacker to compromise the system, but when combined with other vulnerabilities the dangers are sufficient enough to warrant a patch. To cause a denial of service, an attacker could send a maliciously crafted request to the Local Security Authority Subsystem (LSASS), and cause the target system to become unresponsive. To elevate privileges, an attacker would have to authenticate either to the target or a domain-joined system using valid user credentials, and then run a specially crafted application to manipulate the NTLM password change requests into granting the user additional privileges.

MS16-138: Security Update for Microsoft Virtual Hard Disk Driver (3199647)

Multiple privilege escalations have been discovered in Microsoft Virtual Hard Drive. The issue stems from how the Windows VHDMP kernel mishandles user access for certain files and could allow an attacker to manipulate them in restricted locations. This is addressed in the update by correcting how the kernel API handles access to these files.

MS16-139: Security Update for Windows Kernel (3199720)

This bulletin resolves a privilege escalation vulnerability within the Windows kernel due to how it handles permissions for certain files and folders. An attacker has to be locally-authenticated to take advantage of this and would have to run a specially crafted application. As we have seen with similar issues, Microsoft has made sure that kernel handles permissions properly.

MS16-140: Security Update for Boot Manager (3193479)

Next up, Boot Manager is patched for a security feature bypass which can allow an attacker to disable key features that help protect the boot process. If the attacker had physical access or administrative rights, they could load test-signed executables or drivers on the target system. The security update prevents this by revoking affected boot policies in firmware.

MS16-141: Security Update for Adobe Flash Player (3202790)

This bulletin resolves 10 vulnerabilities within Adobe Flash Player which an attacker can leverage by convincing a user to visit a specially crafted webpage or by viewing a malicious email message, for example. Note that this bulletin corresponds to Adobe’s APSB16-37 advisory.

MS16-142: Cumulative Security Update for Internet Explorer (3198467)

Oddly enough, Internet Explorer is last in this month’s patch cycle. Multiple remote code execution vulnerabilities have been discovered in the way that IE handles objects in memory. A typical attack scenario would be for an attacker to convince a user to visit a malicious website. The attacker could then corrupt memory in a way that could allow them to execute arbitrary code in the context of the current user. This is always dangerous because if the user had administrative rights, then the attacker could take complete control of the system.


Review: Patch Tuesday September 2016

This Patch Tuesday introduces seven critical and seven important bulletins amounting to a total of 14 bulletins. Overall, 47 vulnerabilities were addressed making this a fairly hefty patch cycle.

MS16-104: Cumulative Security Update for Internet Explorer (3183038)

Kicking off the month, Internet Explorer is patched for five memory corruptions, an elevation of privilege, three information disclosures, and a security feature bypass. The memory corruption vulnerabilities are the most severe issues, as they can allow a remote attacker to execute arbitrary code. To exploit this vulnerability, an attacker would host a malicious webpage and entice a victim to browse to it.

MS16-105: Cumulative Security Update for Microsoft Edge (3183043)

Next up is Edge, which is patched for similar issues to those that plagued IE – seven memory corruptions and five information disclosure vulnerabilities, making this a critically-rated bulletin. While it is good to see security issues being addressed in Edge, it is disheartening to see it suffer from more critical vulnerabilities than its predecessor on Patch Tuesday.

MS16-106: Security Update for Microsoft Graphics Component (3185848)

This critically-rated bulletin resolves three elevation of privilege vulnerabilities, an information disclosure, and a remote code execution vulnerability. Since these vulnerabilities exist within the Kernel, exercising least-privilege does not help to mitigate the impact. Full system compromise is possible, making this a high-priority update.

MS16-107: Security Update for Microsoft Office (3185852)

Office is patched for ten memory corruptions, an ASLR bypass, an information disclosure, and a spoofing vulnerability. The most severe vulnerability types, the memory corruption vulnerabilities, occur due to improperly handling objects in memory which can lead to code execution. Additionally, the ASLR bypass vulnerability only applies to click-to-run type installations.

MS16-108: Security Update for Microsoft Exchange Server (3185883)

Microsoft Exchange Server returns to our radar with modest vulnerabilities that allow for Information Disclosure, Spoofing, and Elevation of Privilege. In addition, there are multiple vulnerabilities in third-party code, “Oracle Outside In libraries” but Microsoft is releasing this update to ensure that all customers using the third-party code are protected. The vulnerabilities in the third-party code can result in Remote Code Execution, Denial of Service, and Information Disclosure.

MS16-109: Security Update for Silverlight (3182373)

A vulnerability exists in Silverlight that could allow an attacker to execute arbitrary code on a system if a user visits a malicious website. The flaw stems from Silverlight improperly handling objects in memory, allowing attacker to corrupt system memory and gain the same access as the current user. If that user has administrative rights, an attacker could take complete control of the system.

MS16-110: Security Update for Microsoft Windows (3178467)

This bulletin addresses vulnerabilities in all versions of Microsoft Windows excluding Itanium-based servers. There have been multiple vulnerabilities reported, the most extreme of which would allow an attacker to craft a request that could execute arbitrary code with elevated privileges. Other vulnerabilities include information disclosure, remote code execution, and denial of service. Microsoft corrected issues with how Windows enforces permissions, NT Lan Manager single sign-on, and handling objects in memory.

MS16-111: Security Update for Windows Kernel (3186973)

The Windows Kernel makes its routine visit on Patch Tuesday with multiple vulnerabilities. Each of the vulnerabilities in Windows Kernel can result in Elevation of Privilege. An attacker exploiting this vulnerability could impersonate processes, inject cross-process communication, interrupt system functionality, and gain access to user account information.

MS16-112: Security Update for Windows Lock Screen (3178469)

An issue has been resolved in windows that allowed an attacker to elevate of privileges from the windows lock screen. An Attacker could connect a malicious wifi hotspot or connect a broadband adapter to computer and load web content. Microsoft corrected the issue by fixing the behavior of the lock screen.

MS16-113: Security Update for Windows Secure Kernel Mode (3185876)

It has been found that Windows Secure Kernel Mode improperly handles objects in memory. The memory corruption leaks information to the attacker, and the attacker could combine this with additional vulnerabilities to further exploit the system. While this is not a complete compromise of the system, the sensitivity of the content contained in Windows Secure Kernel Mode makes any information leak a powerful tool in an attacker’s hands.

MS16-114: Security Update for Windows SMBv1 Server (3185879)

A Microsoft Server Message Block 1.0 (SMBv1) vulnerability has been discovered that stems from when an attacker sends a specially crafted packet to a SMBv1 server. This vulnerability only effects the 1.0 version of SMB. For this vulnerability to be successfully exploited, an attacker has to be authenticated with the server and have permissions to open files on the target. This was addressed by changing how SMB handles specially crafted requests.

MS16-115: Security Update for Microsoft Windows PDF Library (3188733)

Microsoft Windows PDF Library makes an appearance in this month’s Patch Tuesday. The library contains two Information Disclosure vulnerabilities. The Information disclosure vulnerabilities revolve around how the library handles objects in memory, and if the attacker crafts a malicious PDF the attacker could read the leaked information from memory. In order to exploit this vulnerability the attacker would have to lure the victim to a web page hosting the malicious PDF, or trick the user into opening the PDF locally within edge.

MS16-116: Security Update in OLE Automation for VBScript Scripting Engine (3188724)

OLE Automation for VBScript Scripting Engine contains a remote code execution vulnerability. The vulnerability revolved around how the VBScript Scripting Engine in Internet Explorer accesses objects in memory. By exploiting this vulnerability, the attacker could corrupt memory such that code could be executed within the context of the local user. If the user is logged in with administrative rights, the attacker could control the affected system.

MS16-117: Security Update for Adobe Flash Player (3188128)

Adobe Flash Player contains critical vulnerabilities that could be used to execute arbitrary code on the target system. This update addresses the vulnerabilities that are described in APSB16-29 from Adobe. In order to exploit these vulnerabilities an attacker would have to lure a victim to a compromised website with malicious content designed to take advantage of these vulnerabilities.


Patch Tuesday August 2016

August’s iteration of Patch Tuesday has been slightly less populated than recent months, involving only 9 bulletins. However, 5 of the 9 bulletins are Critical vulnerabilities, and the other four are rated as Important. The typical suspects are all back, as we see vulnerabilities in Edge, Internet Explorer, Secure Boot, Kernel-Mode Drivers, and Office. Some new faces involve the PDF library and Authentication Methods.

MS16-095: Cumulative Security Update for Internet Explorer (3177356)

As usual, the first product up to the plate is Internet Explorer. IE is patched this month for nine vulnerabilities consisting of five memory corruptions and four information disclosures. The memory corruption vulnerabilities, caused by IE improperly accessing objects in memory, pose the greatest risk as these could lead to remote code execution, making this bulletin critically rated.

MS16-096: Cumulative Security Update for Microsoft Edge (3177358)

Next up, Edge is patched for five memory corruption vulnerabilities, with one occurring within the Chakra JavaScript engine. Additionally, three information disclosures are resolved that could potentially aid an attacker with compromising the system further. At the time of this bulletin’s release, there were no reports of these vulnerabilities being actively exploited in the wild.

MS16-097: Security Update for Microsoft Graphics Component (3177393)

Microsoft Graphics Component returns teeming with critical vulnerabilities. The impact of these vulnerabilities could lead to remote code execution, and complete compromise of a target system. The exploit revolves around Windows font libraries improperly handling specially crafted embedded fonts. An attacker has multiple vectors of approaching this vulnerability, in a web-based attack scenario the attacker has to lure the victim to a malicious website to launch the attack, and in a file sharing attack scenario the attacker could provide a specially crafted document and convince the victim to open it. This vulnerability is a somber reminder to be mindful of your surroundings on the web and when opening unknown content.

MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466)

Kernel-Mode Drivers have once again been found to contain multiple vulnerabilities. The impact of each of these vulnerabilities is the same, resulting in elevation of privilege. As usual, the vulnerabilities exist when the drivers fail to handle objects in memory correctly. A successful exploit of this would be able to run arbitrary code in kernel mode, allowing the attacker to install programs, view or change data, and create user accounts with full privileges. In order to perform this exploit, an attacker would have to have access to the system, and then run a specially crafted application.

MS16-099: Security Update for Microsoft Office (3177451)

Office is back this month with four memory corruption vulnerabilities, which occur due to how it handles objects in memory. These issues could potentially allow an attacker to remotely execute arbitrary code, however, the context is limited to the current user. Additionally, an Information Disclosure vulnerability is resolved specifically in OneNote, which can potentially disclose memory contents.

MS16-100: Security Update for Secure Boot (3179577)

Secure Boot returns as an important bulletin this month, a vulnerability that allows for security features to be bypassed has been introduced. The exploit involves installation of a vulnerable boot manager, which has a faulty implementation of BitLocker or drive encryption. A successful exploit would result in disabling code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device, and bypass integrity validation for BitLocker and drive encryption. In order to exploit this vulnerability, an attacker would need to have administrative privilege or physical access to the target device to install an affected boot manager.

MS16-101: Security Update for Windows Authentication Methods (3178465)

This bulletin addresses two new issues discovered in Windows Authentication Methods. Netlogon has an issue when it improperly establishes a secure communications channel with a domain controller. The restriction is that the system must be connected to a Server 2012 or Server 2012 R2 domain controller. The exploit would allow the attacker to run a program on a domain computer to elevate the user’s privileges. Another issue was found in how Kerberos handles a password change request. When the request is improperly handled, it falls back to NTLM authentication protocol. The NTLM protocol is susceptible to man in the middle attacks.

MS16-102: Security Update for Microsoft Windows PDF Library (3182248)

A vulnerability has been found in Windows PDF Library when handling objects in memory. If memory was corrupted, it could allow an attacker to execute arbitrary code. That code would execute in the same context as the user who opened the PDF. This could eventually allow the attacker to gain the same permissions as the victim. If they were an administrator, then the attacker to could potentially take over the machine. The easiest way for an attacker to exploit this is to have a website that is hosting PDF files that are crafted to exploit the flaw.

MS16-103: Security Update for ActiveSyncProvider (3182332)

An information disclosure vulnerability has been found in Outlook when it fails to establish a secure connection. If Outlook doesn’t establish a secure connection, then an attacker could obtain the username and password. This has been addressed by changing Outlook from disclosing usernames.


Patch Tuesday June 2016

This month’s Patch Tuesday brings in 16 bulletins, 5 of which are Critical. The products under the Critical Severity Rating were Internet Explorer, Edge, JScript and VBScript, Office, and DNS Server. In total there are 44 vulnerabilities that are addressed.

MS16-063 Cumulative Security Update for Internet Explorer (3163649)

As our usual first suspect, Internet Explorer is patched for multiple vulnerabilities, including a memory corruption within the browser, JScript and VBScript engine memory corruption, an XSS filter bypass, and proxy discovery fixes. Similar to last month’s Internet Explorer bulletin, this bulletin is closely tied with the JScript and VBScript engine’s bulletin MS16-069.

MS16-068 Cumulative Security Update for Microsoft Edge (3163656)

Up next, Edge is patched for a security bypass within Content Security Policy, four memory corruption vulnerabilities, an information disclosure and remote code execution vulnerability when handling specially crafted PDF files. One thing to note is that CVE-2016-3222 was publicly disclosed prior to this bulletins release, however, there are no reports of this being actively exploited.

MS16-069 Cumulative Security Update for JScript and VBScript (3163640)

As mentioned before, this bulletin is closely tied with the Internet Explorer bulletin, however this patch applies to systems running IE7 and earlier. The update addresses three memory corruption vulnerabilities caused by how the JScript and VBScript Engine handles objects in memory. Successful exploitation can allow a remote attacker to execute arbitrary code with the same user rights as the current user.

MS16-070 Security Update for Microsoft Office (3155544)

As usual, vulnerabilities in Office rear their ugly heads. The update addresses memory handling, and input validation before loading libraries. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file, so it is important to verify that the file you are opening is actually from a valid source.

MS16-071 Security Update for Microsoft Windows DNS Server (3164065)

Windows Servers that are configured as DNS servers are at risk for a vulnerability where the DNS server fails to properly handle requests. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server, and would execute with the privileges of the local account.

MS16-072 Security Update for Group Policy (3163622)

This update addresses a vulnerability that can allow network Group Policies to be configured to grant administrator privileges to standard users. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

MS16-073 Security Update for Windows Kernel-Mode Drivers (3164028)

Windows Kernel-Mode Drivers contain a two elevation of privilege vulnerabilities, caused by improper handling of objects in memory. Additionally, an information disclosure vulnerability is addressed within the Windows Virtual PCI virtual service provider, which can allow attackers to gain knowledge of sensitive memory contents to aid in successful exploitation.

MS16-074 Security Update for Microsoft Graphics Component (3164036)

ASLR (Address Space Layout Randomization) protects users from a wide variety of vulnerabilities. This security update fixes a vulnerability wherein an attacker could manipulate the Windows Graphics Component to leak information to bypass the ASLR. By bypassing the ASLR, the attacker could then take advantage of any number of vulnerabilities that could lead to remote code execution.

MS16-075 Security Update for Windows SMB Server (3164038)

Similar to MS16-074, this vulnerability doesn’t directly grant arbitrary code execution, but in conjunction with other vulnerabilities it could lead to it. An attacker would first have to log on to the system, then run a specially crafted application. Then the attacker could forward an authentication request intended for the malicious application through the SMB Server and take control of an affected system.

MS16-076 Security Update for Netlogon (3167691)

A memory corruption vulnerability exists where a domain-authenticated attacker could make a specially-crafted NetLogon request to the domain controller, granting access to the target system.

MS16-077 Security Update for WPAD (3165191)

Sometimes being backwards compatible can hurt. An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process. An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system.

MS16-078 Security Update for Windows Diagnostic Hub (3165479)

An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input, leading to an unsecure library loading behavior. The attacker could then run arbitrary code with administrator privileges.

MS16-079 Security Update for Microsoft Exchange Server (3160339)

Is your mail leaking? This update resolves multiple vulnerabilities in Microsoft Exchange Server, the most severe of which could leak information to an attacker, allowing the victim to be identified, fingerprinted, and tracked online. When combined with other vulnerabilities, this attack could be amplified.

MS16-080 Security Update for Microsoft Windows PDF (3164302)

This bulletin resolves two information disclosures and a remote code execution vulnerability within Widows PDF. Successful exploitation involves an attacker enticing victims into opening a specially crafted PDF file, leading to code execution in the context of the current user.

MS16-081 Security Update for Active Directory (3160352)

What would a Patch Tuesday be without one or two Denial of Service (DoS) vulnerabilities? An authenticated attacker could cause a DoS by creating multiple machine accounts within Active Directory. This update addresses how machine accounts are created.

MS16-082 Security Update for Microsoft Windows Search Component (3165270)

This security update fixes a memory handling error that could be manipulated by attackers. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.


May 2016 Patch Tuesday

This month’s Patch Tuesday ushers in a whopping 16 bulletins, 8 of which are critical. All-in-all, 57 vulnerabilities are addressed. A few interesting things to note about this month – Internet Explorer and the JScript/VBScripting engine are patched for a vulnerability that is currently being exploited. That’s not to say it’s the only one this month! Adobe Flash Player gets in on the action resolving an actively exploited vulnerability of its own. Another note-worthy issue is within .NET, which is patched for a TLS/SSL vulnerability that could allow remote attackers to decrypt traffic.

MS16-051: Cumulative Security Update for Internet Explorer (3155533)

Starting off in the usual fashion, Internet Explorer is patched for critical vulnerabilities consisting of a memory corruption within the browser, a security bypass, and two memory corruptions within the JScript and VBScript engines. This bulletin is closely related to MS16-053, however this one resolves the IE attack vector. IE users should take extra care ensuring this patch is applied due to CVE-2016-0189 being actively exploited in the wild.

MS16-052: Cumulative Security Update for Microsoft Edge (3155538)

Edge also goes under the knife, being patched for four memory corruption vulnerabilities, three of which occurring within the Chakra scripting engine. The other one occurs within the browser itself and is caused by improperly accessing objects in memory, allowing for arbitrary code execution in the context of the current user.

MS16-053: Security Update for JScript and VBScript (3156764)

As mentioned earlier, this bulletin is closely related to MS16-051, this one however patches two underlying JScript and VBScript memory corruption vulnerabilities at its source. Again, there are reports of CVE-2016-0189 being actively exploited in the wild and users should ensure that this patch is applied. It should also be noted, VBScript 5.7 is only affected by CVE-2016-0189, while JScript and VBScript 5.8, existing on Server 2008R2 CORE, are affected by both CVE-2016-0189 and CVE-2016-187.

MS16-054: Security Update for Microsoft Office (3155544)

And what would a Patch Tuesday be without our dear friend Office? This bulletin resolves four memory corruption vulnerabilities, which can allow for remote code execution. Three are caused by Office software improperly handling objects in memory while the fourth is due to improperly handling specially crafted embedded fonts. In this case, typical attack scenarios are web, email, and document based.

MS16-055: Security Update for Microsoft Graphics Component (3156754)

Microsoft Graphics component is patched for five vulnerabilities, consisting of two information disclosures, caused by the GDI component disclosing memory contents; a remote code execution vulnerability, due to improper handling of memory objects; a Use-After-Free vulnerability within Direct3D; and finally, a memory corruption vulnerability within the Windows Imaging component.

MS16-056: Security Update for Windows Journal (3156761)

Journal returns to the scene, being patched for another remote code execution vulnerability. The problem occurs when Journal attempts to process a specially crafted .jnt file, which a remote attacker can send to an unsuspecting victim, resulting in memory corruption. Execution occurs in within the context of the current user, therefore accounts with fewer user rights are less impacted.

MS16-057: Security Update for Windows Shell (3156987)

Windows Shell is patched for a critical remote code execution vulnerability caused by improper handling of objects in memory. A typical attack scenario would be an attacker convincing a victim to browse to a malicious webpage designed to exploit the vulnerability. Similar to the previous bulletin, the execution again occurs within the context of the current user.

MS16-058: Security Update for Windows IIS (3141083)

Microsoft Internet Information Services (IIS) is patched this month for a DLL loading vulnerability which can lead to arbitrary code execution. Successful exploitation depends on file access where an attacker could plant a specially crafted DLL which is then loaded by IIS.

MS16-059: Security Update for Windows Media Center (3150220)

Media Center returns with a remote code execution vulnerability occurring when Media Center processes .mcl files. This vulnerability is also limited to the context of the current user upon exploitation, but that is what Elevation of Privilege vulnerabilities are for, like in the next bulletin.

MS16-060: Security Update for Windows Kernel (3154846)

This bulletin resolves an Elevation of Privilege vulnerability within Windows kernel. The issue involves improper handling of symbolic links which could potentially give access to registry keys, allowing an attacker to elevate their privileges.

MS16-061: Security Update for Microsoft RPC (3155520)

A remote code execution vulnerability is patched within Microsoft’s Remote Procedure Call (RPC) Network Data Representation Engine. The issue occurs when Windows handles specially crafted RPC requests and then improperly frees the associated memory. Successful exploitation requires authenticated access to issue the necessary RPC requests, limiting the attack surface for this vulnerability.

MS16-062: Security Update for Windows Kernel-Mode Drivers (3158222)

Kernel mode drivers are back with a vengeance this month, with seven vulnerabilities being patched. These consist of – four Elevation of Privilege vulnerabilities resulting from the win32k driver failing to properly handle objects in memory; a security feature bypass vulnerability also within the win32k driver, allowing an attacker access to kernel memory addresses which can be used to bypass Address Space Layout Randomization (ASLR); and finally, two Kernel Elevation of Privilege vulnerabilities occurring in the DirectX Graphics driver (dxgkrnl.sys) when it incorrectly maps kernel memory.

MS16-064: Security Update for Adobe Flash Player (3157993)

Microsoft has included Adobe Flash Player in this bulletin, which resolves 24 vulnerabilities within Flash Player. The associated Adobe advisory for this is ASA16-02, which states that CVE-2016-4117 is actively being exploited in Flash Player versions 21.0.0.226 and below. Interestingly, Adobe has withheld releasing the associated bulletin until later in the week, perhaps indicating another critical vulnerability is in the process of being patched. If this is the case, Microsoft may update their bulletin to include this, so we’ll be keeping an eye out for this.

MS16-065: Security Update for .NET Framework (3156757)

.NET is patched for a vulnerability within the TLS/SSL protocol which can allow an attacker to decrypt TLS/SSL traffic. The patch resolves the issue by splitting the first TLS record after the initial connection handshake and is only applied to applications that use TLS1.0 + Cipher Block Chaining, but not when using TLS 1.1 or 1.2.

MS16-066: Security Update for Virtual Secure Mode (3155451)

This bulletin resolves a security bypass vulnerability within Virtual Secure Mode. The issue is cause by Windows incorrectly allowing certain kernel-mode pages to be marked as Read, Write, and Execute even with Hypervisor Code Integrity enabled.

MS16-067: Security Update for USB Driver (3155784)

Last, but certainly not least, Windows is patched for a vulnerability that exists when USB disks are mounted over RDP. An attacker could potentially gain access to the drive from within a different session from which it was mounted on. The patch ensures that access is properly enforced to prevent non-mounting session access.


April 2016 Patch Tuesday

April’s Patch Tuesday offers up 13 bulletins which include the typical misfits – IE, Edge, and Office. That’s not to say there weren’t any interesting products that were patched. For example, the remote protocols SAM and LSAD came under fire with the “Badlock” vulnerability, which is susceptible to a man-in-the-middle attack. Additionally, Adobe Flash Player (which seems to now be integrated with Patch Tuesday) addresses an actively exploited vulnerability which allows for arbitrary remote code execution! Overall, 40 vulnerabilities were patched, making this a moderately sized Patch Tuesday.

MS16-037: Cumulative Security Update for Internet Explorer (3148531)

First off, Internet Explorer gets its monthly dose of patches which resolves a DLL hijack, an information disclosure, and four memory corruption vulnerabilities. These memory corruption vulnerabilities could allow an attacker to exploit them remotely via a specially crafted website, giving this bulletin a critical rating.

MS16-038: Cumulative Security Update for Microsoft Edge (3148532)

Edge also receives its monthly does of patches resolving two elevation of privileges and four memory corruption vulnerabilities. Much like IE, this bulletin is critically-rated due to the remote exploitation potential of the memory corruption vulnerabilities.

MS16-039: Security Update for Microsoft Graphics Component (3148522)

Next up, Microsoft Graphics is patched for a critical memory corruption vulnerability and three elevation of privilege (EoP) vulnerabilities. The EoP vulnerabilities are caused by Windows’ kernel-mode driver not properly handling objects in memory and can allow an attacker to run arbitrary code in kernel mode. The memory corruption vulnerability is caused by improperly handling embedded fonts which an attacker can implant within a document or webpage.

MS16-040: Security Update for Microsoft XML Core Services (3148541)

XML Core Services is patched this month for a critical remote code execution vulnerability. The issue lies within the MSXML parser when trying to process user input. An attacker could exploit the vulnerability by hosting a malicious website designed to invoke MSXML through internet explorer.

MS16-041: Security Update for .NET Framework (3148789)

.NET is patched for a vulnerability which occurs from not validating user input on library loading. Successful exploitation could allow an attacker to take control of the affected machine if they had access to the local filesystem. Users whose accounts are configured with fewer privileges are less impacted because exploitation occurs in the same account context.

MS16-042: Security Update for Microsoft Office – Critical (3148775)

This bulletin resolves four memory corruption vulnerabilities within Microsoft Office. The issue involves Office not properly handling objects in memory allowing a remote attacker to execute arbitrary code in the context of the current user. Three of these vulnerabilities are rated as “important” however, for CVE-2016-0127, the attack vector is through the Preview Pane and is considered critical.

MS16-044: Security Update for Windows OLE (3146706)

Windows OLE is patched for an important vulnerability caused by improper validation of user input. A remote attacker could convince a user to open a malicious file or webpage and execute arbitrary code.

MS16-045: Security Update for Windows Hyper-V (3143118)

Next in line, Hyper-V is patched for three vulnerabilities consisting of a remote code execution and two information disclosures. These vulnerabilities are caused by Hyper-V failing to validate input from an authenticated user on a guest operating system. Note, however, the Hyper-V role must be enabled on the system for this vulnerability to be applicable.

MS16-046: Security Update for Secondary Logon (3148538)

This bulletin resolves an issue with the Secondary Logon service of Windows 10 systems. An attacker could potentially elevate their privileges and execute code in the Administrator context. This issue is caused from Secondary logon failing to manage requests in memory.

MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527)

The Security Account Manager (SAM) and Local Security Authority Domain Policy (LSAD) remote protocols have come under fire recently as this bulletin resolves a Remote Procedure Call (RPC) downgrade vulnerability, which occurs during the establishment of an RPC channel when accepting authentication levels. A Man-In-The-Middle attacker could force a downgrade and then impersonate an authenticated user. This vulnerability was discovered by Stefan Metzmacher of the international Samba Core Team and has labeled it as “Badlock.” Note there are several exploitation proof-of-concepts circulating, so this vulnerability should not be taken lightly.

MS16-048: Security Update for CSRSS (3148528)

Next, the Client-Server-Run-time Subsystem (CSRSS) is patched for a security bypass vulnerability which an attacker could exploit to run arbitrary code in the Administrator context. The issue is caused by CSRSS failing to validate process tokens in memory.

MS16-049: Security Update for HTTP.sys (3148795)

This bulletin addresses a Denial of Service vulnerability within Windows’ HTTP driver. The issue arises when HTTP.sys improperly parses specially crafted HTTP 2.0 requests causing the affected system to become unresponsive.

MS16-050: Security Update for Adobe Flash Player (3154132)

Last, but certainly not least, Adobe Flash Player is patched for ten vulnerabilities affecting Windows 8.1-and-above systems. The vulnerabilities can allow a remote attacker to execute arbitrary code and there are reports of CVE-2016-1019 being actively exploited prior to this bulletin release.


March 2016 Patch Tuesday

March’s Patch Tuesday includes five Critical and eight Important bulletins addressing a total of 43 vulnerabilities. Internet Explorer receives its monthly dose of security fixes, however, Edge seems to be following close behind with a whopping 11 vulnerabilities being patched. Additionally, many elevation of privilege and security feature bypasses are addressed, the most interesting perhaps is for a potential USB flash drive attack in MS16-033.

MS16-023: Cumulative Security Update for Internet Explorer (3142015)

Starting off this Patch Tuesday, Internet Explorer is patched for 13 critical remote code execution vulnerabilities, caused by memory corruption due to improperly handling objects in memory. To exploit these, an attacker would likely host a malicious website and entice the victim to browse to it.

MS16-024: Cumulative Security Update for Microsoft Edge (3142019)

Edge is patched again this month for one information disclosure and ten memory corruption vulnerabilities which can allow a remote attacker to execute arbitrary code. As was the case with IE, a typical attack scenario would involve an attacker hosting a malicious website, although another potential attack vector is through web-advertising (malvertising).

MS16-025: Security Update for Windows Library Loading to Address Remote Code Execution (3140709)

Another DLL Hijacking vulnerability is addressed in Windows which can allow arbitrary code to be ran in the context of the current user. Successful exploitation requires an attacker to already have access to the filesystem and planting a malicious DLL within the directory of the affected application.

MS16-026: Security Update for Graphic Fonts to Address Remote Code Execution (3143148)

Font parsing strikes again this month offering up one denial of service and one remote code execution vulnerability. These issues exist due to Windows Adobe Type Manager Library improperly handling OpenType fonts and typical attack vectors involve malicious documents or webpages in which they are embedded into. Windows 10 provides some extra protection, however, because it can limit code execution to an AppContainer sandbox context with limited privileges and capabilities.

MS16-027: Security Update for Windows Media to Address Remote Code Execution (3143146)

This bulletin resolves two critical vulnerabilities within Windows Media Player which can lead to remote code execution. An attacker could entice their victim to view specially crafted media content through a website or via email attachments.

MS16-028: Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3143081)

Windows PDF Library is back with two remote code execution vulnerabilities which occur when opening a specially crafted pdf file. Only systems running Windows 8.1 and above (including Windows 10) are affected.

MS16-029: Security Update for Microsoft Office to Address Remote Code Execution – Important (3141806)

And what is a Patch Tuesday without our dear friend Microsoft Office? This month brings only one security feature bypass and two memory corruption vulnerabilities. The security bypass is due to an invalidly signed binary which an attacker could take advantage of by crafting a similarly configured binary to host malicious code. The two memory corruption vulnerabilities can potentially allow remote code execution upon opening specially crafted documents.

MS16-030: Security Update for Windows OLE to Address Remote Code Execution (3143136)

This bulletin resolves two remote code execution vulnerabilities within Windows OLE that affect all systems from Vista and above. These issues arise from OLE not properly validating user input and can be exploited through the three most common attack vectors – opening files, viewing emails, and visiting websites.

MS16-031: Security Update for Microsoft Windows to Address Elevation of Privilege (3140410)

Windows itself is patched for an elevation of privilege vulnerability stemming from improper validation and enforcement of impersonation levels. Exploitation requires an attacker to have valid credentialed access to the system where they would run a specially crafted application to raise their privileges. Windows 8.1 and above systems are not affected, limiting the target scope for this vulnerability.

MS16-032: Security Update for Secondary Logon to Address Elevation of Privilege (3143141)

This bulletin addresses an elevation of privilege vulnerability, however, this one affects all systems from Vista and above. The issue lies within the Secondary Logon Service which fails to properly manage request handles in memory.

MS16-033: Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege (3143142)

The USB flash drive attack vector makes an appearance this month with an elevation of privilege vulnerability within the Windows USB Mass Storage Class Driver. Exploitation requires credentialed as well as physical access to the system and can be achieved when inserting a USB drive into the machine.

MS16-034: Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3143145)

Windows’ Kernel Mode Drivers fall victim to more abuse with this bulletin addressing four elevation of privilege vulnerabilities. Similar to the previous EoP bulletins, these vulnerabilities require credentialed access to the system in which an attacker would run a specially crafted program to take control of the entire system.

MS16-035: Security Update for .NET Framework to Address Security Feature Bypass (3141780)

Finally, the beloved .NET framework is patched for a security feature bypass which is caused by improper validation on certain elements of a signed XML document. An attacker could exploit this to modify an XML document with arbitrary data, without invalidating the associated signature.


February 2016 Patch Tuesday

February’s Patch Tuesday contains some new aspects which have not been previously seen in months past. One being the inclusion of Adobe Flash Player, which is usually disclosed in Microsoft Security Advisories. Additionally, Windows Reader and PDF library join the party signifying that Microsoft Apps may be a new target for attackers and security researchers. Finally, MS16-009 makes its appearance after being absent from January’s Patch Tuesday. Overall, this month consists of 13 bulletins, six of which are critically-rated. 63 vulnerabilities are addressed in total, with 22 coming from Adobe Flash Player.

MS16-009: Cumulative Security Update for Internet Explorer (3134220)

Starting off this month, Internet Explorer is updated for one DLL hijacking, one information disclosure, eight memory corruptions, one spoofing, and two elevation of privilege vulnerabilities, totaling 13 in all. What sets this update apart from any other IE update is that this month only targets three versions of IE – 9, 10, and 11 due to Microsoft ending support for other versions last month.

MS16-011: Cumulative Security Update for Microsoft Edge (3134225)

Skipping over MS16-010, this update addresses one spoofing, one ASLR bypass, and four memory corruption vulnerabilities within the Edge browser. The worst of these being memory corruption, due to the fact that these types of vulnerabilities almost always lead to code execution.

MS16-012: Security Update for Microsoft Windows PDF Library to Address Remote Code Execution (3138938)

New to the vulnerability scene is Windows Reader, which is only available on Windows 8.1 and above via the app store. This update resolves two issues within Reader and Windows’ PDF Library which contains a classic buffer overflow while Reader suffers from memory corruption, making this bulletin critically-rated.

MS16-013: Security Update for Windows Journal to Address Remote Code Execution (3134811)

This bulletin updates Journal for one memory corruption vulnerability potentially leading to remote code execution when opening a specially crafted Journal file. The exploitation is limited to the current user rights upon opening a malicious file, so as always, it’s important to practice the principal of least privileges.

MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228)

This important-rated bulletin updates an elevation of privilege, a Kerberos security bypass, and three DLL hijacking vulnerabilities. The Kerberos bypass is the result of failing to check when a user’s password has been changed. Meanwhile, the DLL hijacking vulnerabilities require an attacker to have prior access to the file system in order to plant malicious DLL files which execute arbitrary code.

MS16-015: Security Update for Microsoft Office to Address Remote Code Execution (3134226)

Office rears its monthly flaws, consisting of one cross-site scripting and six memory corruption vulnerabilities. For three of these memory corruption vulnerabilities, the preview pane within various Office products is the attack vector. Typical attack scenarios involve email phishing attacks and malicious web site hosting, reminding us that it’s important to exercise caution whenever opening email attachments or visiting unknown webpages.

MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041)

For this bulletin, Microsoft’s Web Distributed Authoring and Versioning (WebDAV) is updated for one elevation of privilege vulnerability. The issue is caused when improperly validating user input. An attacker would already need access to the system to run a specially crafted application, exploiting this vulnerability to run arbitrary code with elevated privileges.

MS16-017: Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700)

RDP is back with one elevation of privilege vulnerability. Similarly to MS16-016, this vulnerability requires an attacker to already have access to a target system to execute a specially crafted application locally.

MS16-018: Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3136082)

This bulletin updates another elevation of privilege vulnerability within Windows kernel-mode drivers. Specifically, the win32k.sys driver does not properly handle objects in memory allowing an attacker to use this in conjunction with other attacks to further compromise a system.

MS16-019: Security Update for .NET Framework to Address Denial of Service (3137893)

The .NET framework is updated for one memory corruption and one information disclosure vulnerability. The memory corruption vulnerability, due to a classic stack overflow from improperly handling XSLT transformations, results only in a denial of service, rendering this bulletin as important-rated.

MS16-020: Security Update for Active Directory Federation Services to Address Denial of Service (3134222)

This bulletin updates a denial of service vulnerability within Active Directory Federation Services (ADFS). The vulnerability stems from improperly handling user supplied data during forms-based authentication, causing the server to become non-responsive.

MS16-021: Security Update for Network Policy Server RADIUS implementation to Address Denial of Service (3133043)

Another denial of service vulnerability exists within Network Policy Server. This vulnerability occurs when an attacker supplies specially crafted usernames to the server, preventing RADIUS authentication and resulting in a denial of service.

MS16-022: Security Update for Adobe Flash Player (3135782)

Last but not least, Adobe Flash Player is included in a Microsoft bulletin for the first time, whereas up to this point, issues were previously disclosed in Microsoft Security Advisories. This bulletin corresponds to Adobe’s own APSB16-04 advisory which contains 22 serious vulnerabilities affecting Internet Explorer and Edge, making this a critically-rated bulletin.


January 2016 Patch Tuesday

The New Year brings with it a new Patch Tuesday, with this month’s vulnerability count totaling 30. A surprising new twist is that Internet Explorer is only patched for two vulnerabilities this month, possibly due to Microsoft’s discontinued support for IE 8, 9, and 10 versions. Also, MS16-009 was left out of loop, so we’ll be anticipating it to pop up in February.

MS16-001: Cumulative Security Update for Internet Explorer (3124903)

Starting off the year, this critically-rated update resolves just two vulnerabilities within Internet Explorer. IE’s VBScripting engine continues to be a popular target among researchers and is responsible for another memory corruption vulnerability this month. Accompanying it is an elevation-of-privilege vulnerability arising from IE improperly enforcing cross-domain policies.

MS16-002: Cumulative Security Update for Microsoft Edge (3124904)

Edge is also updated for just two vulnerabilities, however in this case, both are caused by memory corruption potentially leading to remote code execution. In a typical attack scenario, an attacker will host a specially crafted website and convince the victim to browse to it. That said, successful exploitation is limited to the rights of the current user.

MS16-003: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540)

This bulletin addresses a memory corruption vulnerability within Microsoft’s JScript and VBScript engines and is also the underlying cause of Internet Explorer’s memory corruption vulnerability. As was the case with IE, remote code execution is possible making this a critically-rated vulnerability.

MS16-004: Security Update for Microsoft Office to Address Remote Code Execution (3124585)

Office returns this year with five vulnerabilities, two of which are memory corruptions potentially leading to remote code execution. These issues are caused by improper handling of objects in memory. Two security feature bypasses are also patched in Sharepoint which allowed attackers to conduct cross-site scripting attacks. Finally, an ASLR bypass is fixed which doesn’t allow arbitrary code execution, but can assist an attacker in successfully exploiting a separate vulnerability.

MS16-005: Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (3124584)

Kernel mode drivers are back this year with remote code execution and ASLR bypass vulnerabilities. The remote code execution vulnerability was publically disclosed as CVE-2016-0009, however Microsoft was unaware of any attacks that utilized it.

MS16-006: Security Update for Silverlight to Address Remote Code Execution (3126036)

The Silverlight runtime is patched for a critical remote code execution vulnerability when decoding strings. An attacker can utilize a specially crafted decoder to replace unsafe object headers with malicious content. Successful exploitation can lead to arbitrary code execution with the same permissions as the current user.

MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901)

This bulletin addresses Four DLL hijacking vulnerabilities, a security feature bypass within RDP and a heap corruption vulnerability within DirectShow. The RDP vulnerability allows remote logon to accounts without passwords on Windows 10 hosts running RDP services.

MS16-008: Security Update for Windows Kernel to Address Elevation of Privilege (3124605)

The Windows kernel is patched for two privilege escalation vulnerabilities that are caused by Mount Point while validating reparse points set by sandbox applications. Once successfully exploited, an attacker could utilize this vulnerability in conjunction with a code execution vulnerability to take complete control of a system.

MS16-010: Security Update for Microsoft Exchange Server to Address Spoofing (3124557)

Finishing up the month, Exchange Server is patched for four address spoofing vulnerabilities. The issues lie within Outlook Web Access when improperly handling certain web requests, allowing remote attackers to perform script or injection attacks.