April Patch Tuesday 2016


April’s Patch Tuesday is looking and sounding like a spring weather forecast.  The forecast is calling for rain, but it turned out to be partly cloudy.  There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.

Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.

CVE-2016-2118 is the vulnerability for Samba and CVE-2016-0128 is for Microsoft, and is related to MS16-047. CVE-2016-2110 describes a vulnerability in negotiation of NTLMSSP, which allows for a downgrade attack. Luckily, Windows 2003 and Vista have introduced ways to protect against this type of downgrade attack. The rest of the vulnerabilities are specific to Samba, versions 3.0.0 to 4.4.0.

Microsoft has released a total of 13 bulletins this Patch Tuesday, six of which are critical. Piecing the Badlock CVEs together, it seems the only MS Bulletin related to Badlock is MS16-047. This is an important update for SAM and LSAD Remote Protocols. Based on feedback from Badlock.org, PoC code will be introduced in the near future, so count this one as a public disclosure and treat it as a higher priority this month.

Aside from Badlock, there are three more public disclosures and three exploited in wild (Zero Days) this month. One of the three Zero Days is the Flash for IE Patch, which resolves 24 vulnerabilities, including CVE-2015-1019 Zero Day in Adobe Flash and AIR.

MS16-037 is the Internet Explorer Cumulative.  This bulletin is rated critical and resolves six CVEs, one of which is publicly disclosed (CVE-2016-0160). It’s important to note, many of the vulnerabilities can be mitigated by proper privilege management and use of the Enhanced Mitigation Experience Toolkit (EMET).

MS16-038 is an update for the Edge browser. This bulletin is also rated as critical and resolves six vulnerabilities. Similarly, most of the vulnerabilities are user-targeted and can be alleviated by proper privilege management.

MS16-039 is an update for Microsoft Graphics Component.  It is rated as critical and resolves four vulnerabilities, two of which have been detected in exploits in the wild.  The two Zero Days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month. Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.

MS16-041 is an update for Microsoft .Net Framework. The bulletin is rated as important, but includes a public disclosure (CVE-2016-0148).  To exploit this vulnerability, the attacker would need to gain access to the local system, with the ability to execute a malicious application. Although it’s rated as important, the fact that is has a public disclosure puts this bulletin at higher risk of exploit.

MS16-046 is an update for Secondary Logon. This update is also rated as important and includes a publicly disclosed vulnerability (CVE-2016-0135). The attacker must first log on to the system, but after doing so, could run a specially crafted application that could exploit the vulnerability and take control of the system. Again, even though this vulnerability is rated as important, because it has a public disclosure, it’s at higher risk of exploit.

Adobe recently dropped a Flash update on April 7, 2016, and today, they updated their blog to say it also applies to Adobe AIR. This update included 24 CVEs, but most importantly, CVE-2016-1019, which is being actively exploited. With this vulnerability, an attacker could cause a crash on vulnerable systems, allowing the attacker to take full control of the affected system. This is a high priority update and should be pushed out to all systems without delay.

For Flash updates, keep in mind you need to update the plug-in for all of your browsers that have Flash installed. Today, Microsoft released the critical update for Flash Player for IE, and Google Chrome’s update also supports the latest plug-in. So if you are like me and run IE, Chrome, and Firefox, you may need to apply four separate updates to fully patch these Flash vulnerabilities.

Oracle is releasing their quarterly CPU next week on April 19th. Java will have an update and it will be critical, so be prepared for that. The January CPU included fixes for eight CVEs, seven of which were remotely exploitable without credentials and three that had CVSS scores of 10.0. Although it may sound like a lot, this was actually a smaller update, compared to 2015’s four. Last year, April 2015 was the smallest release with only 14 CVEs addressed, all of which were remotely exploitable without credentials and three that were CVSS 10.0.

Mozilla released Firefox 45.0.2 today, but reported no security fixes. This is great news and means we get a free pass on this one today! In case you’re counting, the last security Firefox update was Firefox 45, released on March 8, 2016.

I am going to end my Patch Tuesday blog  post with my new favorite quote from the closing statements of the Verizon 2015 Data Breach Investigations Report, specifically the section on Vulnerabilities: “The lesson here isn’t ‘Which of these should I patch?’ Figure 13 demonstrates the need for all those stinking patches on all your stinking systems. The real decision is whether a given vulnerability should be patched more quickly than your normal cycle or if it can just be pushed with the rest.”

Join us tomorrow for the April Patch Tuesday webinar where we will discuss the bulletins in more detail.