March Patch Tuesday 2016


March Patch Tuesday has a great deal of updates, but no public disclosures or exploited vulnerabilities as of yet. Let’s start with what we know for sure: Microsoft has released 13 bulletins, five of which are critical and eight are rated as important. With these bulletins, Microsoft is resolving 39 total vulnerabilities this month. On the non-Microsoft front, Adobe is releasing two bulletins, rated as Priority 2 and 3, that resolve four vulnerabilities. Additionally, Mozilla FireFox 45 has been released and is rated critical, as it resolves 22 vulnerabilities.

First, taking a closer look at Microsoft, we have critical updates for Internet Explorer (MS16-023) and Edge (MS16-024), as expected. These updates resolve 13 and 11 vulnerabilities, respectively. Microsoft’s claim that Edge is more secure appears to be valid, although this month’s activity does not make that big of a difference. So far in 2016, IE has had 27 vulnerabilities, as compared to Edge’s 19. As you would expect, the vulnerabilities resolved in both browsers involve exploiting a user through specially crafted web content. In this situation, an attacker who convinces a user to click on specific content can gain the same user rights as the actual user. If that user is a full admin, the attacker would gain complete control of the system, allowing them to create accounts, install, remove apps and delete data, among other things.

10 of the Microsoft updates affect Windows, including the other three critical updates from Microsoft. MS16-026 resolves vulnerabilities in graphic fonts, while MS16-027 resolves vulnerabilities in Windows Media and MS16-028 resolves vulnerabilities in Windows PDF Library. In all three cases, the attacker would exploit vulnerabilities by convincing a user to open specifically concocted files and media content. As a result, the attacker would gain equal privileges as the current user; so least-privilege rules will reduce the impact of these vulnerabilities. In the case of MS16-026, Windows 10 mitigates one of the vulnerabilities further by reducing the attacks privileges because they can only execute out of the sandbox.

Microsoft Office and Sharepoint are both affected by MS16-029, which is rated as important and resolves three vulnerabilities. For all of you ops guys out there, I know there is some uneasiness around patching Sharepoint because the updates cannot be rolled back easily if something goes wrong. If you are on a virtual machine, you can take a snapshot prior to the update. That way, if anything goes wrong, you can quickly revert back. If you are not yet virtualized, consider making the switch – doing so will make life a lot easier.

There are six more important updates affecting Windows components, including Kernel-Mode Drivers, USB Mass Storage Class Driver, Secondary Logon, and OLE. Last on the list is an update for .Net Framework. .Net is always interesting because you can have various versions on a machine. As a result, it can also take a bit longer to install updates for .Net. So, if your servers take a while to install updates, know that it’s due to multiple .Net versions requiring updates.

Now, switching to the non-Microsoft updates:

Mozilla has released FireFox 45, which resolves 22 total vulnerabilities, eight of which are critical. The vulnerabilities range from buffer overflows to font vulnerabilities, with the sheer number of updates making this update a priority for this month.

Adobe has released two bulletins so far. The first is APSB16-006, a Priority 3 update for Digital Editions that resolves a critical vulnerability. Although there is only one, it is critical and could lead to code execution; which makes me wonder about the priority. The second Adobe bulletin is for Adobe Acrobat and Reader. APSB16-009 resolves three vulnerabilities, including yet another critical that could lead to code execution. This bulletin is rated as a Priority 2.

While we haven’t seen it yet, there is evidence a Flash update could be on its way. If you look through the Flash Player distribution page, a new version has appeared, but none of the links have been updated to distribute it. This could signal the change in distribution that Adobe has warned us about for a few months now. Either way, if Flash Player drops, expect a bulletin from Microsoft for Flash for Internet Explorer, as well as an update from Google Chrome to support the latest plug-in and updates for Flash Player at the OS and FireFox plug-in levels.

Join us tomorrow for the March Patch Tuesday webinar where we will discuss the bulletins in more detail.