This document summarizes the May 2016 Patch Tuesday webinar. It includes overviews of security updates from Microsoft addressing vulnerabilities in Windows, Internet Explorer, Edge, Office and other programs. Updates are also available from Adobe to address vulnerabilities in Flash Player, Acrobat and Reader. The webinar agenda covers the overview of patches, known issues, bulletins and includes time for Q&A.
3. Best Practices
Privilege Management
Mitigates Impact
High Threat Level vulnerabilities
warrant fast rollout. 2 weeks or
less is ideal to reduce exposure.
User Targeted – Whitelisting
and Containerization
mitigate
4.
5.
6.
7. News –
Adobe Zero Day update releasing tomorrow (MOST LIKELY)
Expect a Chrome update
Expect another Microsoft Security Bulletin
FireFox will have a variation to be updated as well
QuickTime EOL for Windows
Apple says remove it!
Shavlik released QuickTime Removal Tool
Windows 10 Pro
GPO control of App Store not supported
AppSense Application Manager can still support this!
8. CSWU-024: Cumulative update for Windows 10: May 10, 2016
Maximum Severity: Critical
Affected Products: Windows 10, Edge, Internet Explorer, .Net Framework
Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are
described in the following Microsoft security bulletins and advisory: MS16-051, MS16-052, MS16-055, MS16-056, MS16-057, MS16-060,
MS16-061, MS16-062, MS16-064, MS16-065, MS16-066
Impact: Remote Code Execution, Elevation of Privilege, Security Feature Bypass
Fixes 25 vulnerabilities:
CVE-2016-0149, CVE-2016-0168, CVE-2016-0169, CVE-2016-0170, CVE-2016-0171, CVE-2016-0173, CVE-2016-0174, CVE-2016-
0175, CVE-2016-0176, CVE-2016-0178, CVE-2016-0179, CVE-2016-0180, CVE-2016-0181, CVE-2016-0182, CVE-2016-0184,
CVE-2016-0186, CVE-2016-0187, CVE-2016-0188, CVE-2016-0189 (Exploited), CVE-2016-0191, CVE-2016-0192, CVE-2016-
0193, CVE-2016-0194, CVE-2016-0195, CVE-2016-0196, CVE-2016-0197
Restart Required: Requires Restart
9. MS16-051: Cumulative Security Update for Internet Explorer (3155533)
Maximum Severity: Critical
Affected Products: Internet Explorer
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow
remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the
vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker
could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with
full user rights.
Impact: Remote Code Execution
Fixes 5 vulnerabilities:
CVE-2016-0187, CVE-2016-0188 (Publicly Disclosed), CVE-2016-0189 (Exploited), CVE-2016-0192, CVE-2016-0194
Restart Required: Requires Restart
10. MS16-052: Cumulative Security Update for Microsoft Edge (3155538)
Maximum Severity: Critical
Affected Products: Edge
Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote
code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities
could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system
could be less impacted than users with administrative user rights.
Impact: Remote Code Execution
Fixes 4 vulnerabilities:
CVE-2016-0186, CVE-2016-0191, CVE-2016-0192, CVE-2016-0193
Restart Required: Requires Restart
11. MS16-053: Cumulative Security Update for JScript and VBScript (3156764)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The
vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these
vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker
who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
Impact: Remote Code Execution
Fixes 2 vulnerabilities:
CVE-2016-0187, CVE-2016-0189 (Exploited)
Restart Required: May Require Restart
12. MS16-054: Security Update for Microsoft Office (3155544)
Maximum Severity: Critical
Affected Products: Office, SharePoint
Description: This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if
a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the
context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than
those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 4 vulnerabilities:
CVE-2016-0126, CVE-2016-0140, CVE-2016-0183, CVE-2016-0198
Restart Required: May Require Restart
13. MS16-055: Security Update for Microsoft Graphics Component (3156754)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow
remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are
configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 5 vulnerabilities:
CVE-2016-0168, CVE-2016-0169, CVE-2016-0170, CVE-2016-0184, CVE-2016-0195
Restart Required: Requires Restart
14. MS16-056: Security Update for Windows Journal (3156761)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0182
Restart Required: May Require Restart
15. MS16-057: Security Update for Windows Shell (3156987)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces
a user to open specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the
current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate
with administrative user rights.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0179
Restart Required: Requires Restart
16. MS16-064: Security Update for Adobe Flash Player (3157993)
Maximum Severity: Critical
Affected Products: Adobe Flash Player, Windows
Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows
8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Impact: Remote Code Execution
Fixes 24 vulnerabilities:
CVE-2016-1096, CVE-2016-1097 CVE-2016-1098 CVE-2016-1099 CVE-2016-1100 CVE-2016-1101 CVE-2016-1102 CVE-2016-
1103 CVE-2016-1104 CVE-2016-1105 CVE-2016-1106 CVE-2016-1107 CVE-2016-1108 CVE-2016-1109 CVE-2016-1110 CVE-
2016-4108 CVE-2016-4109 CVE-2016-4110 CVE-2016-4111 CVE-2016-4112 CVE-2016-4113 CVE-2016-4114 CVE-2016-4115,
CVE-2016-4116
Restart Required: Requires Restart
17. MS16-065: Security Update for .NET Framework (3156757)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information
disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MiTM) attack
between the targeted client and a legitimate server.
Impact: Information Disclosure
Fixes 1 vulnerabilities:
CVE-2016-0149 (Publicly Disclosed)
Restart Required: May Require Restart
18. APSA16-02 + APSB16-015: Security Advisory for Adobe Flash Player
Maximum Severity: Critical
Affected Products: Adobe Flash Player
Description: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These
updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
• Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player
version 20.0.0.306 and earlier. Please refer to APSA16-01 for details
.
Impact: Remote Code Execution
Fixes 25 vulnerabilities:
CVE-2016-1096, CVE-2016-1097 CVE-2016-1098 CVE-2016-1099 CVE-2016-1100 CVE-2016-1101 CVE-2016-1102 CVE-2016-
1103 CVE-2016-1104 CVE-2016-1105 CVE-2016-1106 CVE-2016-1107 CVE-2016-1108 CVE-2016-1109 CVE-2016-1110 CVE-
2016-4108 CVE-2016-4109 CVE-2016-4110 CVE-2016-4111 CVE-2016-4112 CVE-2016-4113 CVE-2016-4114 CVE-2016-4115,
CVE-2016-4116, CVE-2016-4117 (Exploited)
Restart Required: Requires Restart
19. APSB16-14: Security Updates Available for Adobe Acrobat and Reader
Maximum Severity: Important
Affected Products: Adobe Acrobat and Reader
Description: Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates
address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Impact: Remote Code Execution
Fixes 82 vulnerabilities:
CVE-2016-1037, CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1043, CVE-2016-
1044, CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051,
CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016-
1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1062, CVE-2016-1063, CVE-2016-1064, CVE-2016-1065, CVE-2016-1066,
CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016-
1074, CVE-2016-1075, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1079, CVE-2016-1080, CVE-2016-1081,
CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1087, CVE-2016-1088, CVE-2016-
1090, CVE-2016-1092, CVE-2016-1093, CVE-2016-1094, CVE-2016-1095, CVE-2016-1112, CVE-2016-1116, CVE-2016-1117,
CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1121, CVE-2016-1122, CVE-2016-1123, CVE-2016-1124, CVE-2016-
1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089,
CVE-2016-4090, CVE-2016-4091, CVE-2016-4092, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016-
4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4102, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105,
CVE-2016-4106, CVE-2016-4107
Restart Required:
20. MS16-058: Security Update for Windows IIS (3141083)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could
gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less
impacted than those who operate with administrative user rights..
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0152
Restart Required: Requires Restart
21. MS16-059: Security Update for Windows Media Center (3150220)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully
exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0185
Restart Required: May Require Restart
22. MS16-060: Security Update for Windows Kernel (3154846)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an attacker logs on to an affected system and runs a specially crafted application.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0180
Restart Required: Requires Restart
23. MS16-061: Security Update for Microsoft RPC (3155520)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0178
Restart Required: Requires Restart
24. MS16-062: Security Update for Windows Kernel-Mode Drivers (3158222)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow
elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Impact: Elevation of Privilege
Fixes 7 vulnerabilities:
CVE-2016-0171, CVE-2016-0173, CVE-2016-0174, CVE-2016-0175, CVE-2016-0176, CVE-2016-0196, CVE-2016-0197
Restart Required: Requires Restart
25. MS16-066: Security Update for Virtual Secure Mode (3155451)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass
if an attacker runs a specially crafted application to bypass code integrity protections in Windows.
Impact: Security Feature Bypass
Fixes 1 vulnerabilities:
CVE-2016-0181
Restart Required: Requires Restart
26. MS16-067: Security Update for Volume Manager Driver (3155784)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if
a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user.
Impact: Information Disclosure
Fixes 1 vulnerabilities:
CVE-2016-0190
Restart Required: May Require Restart
27. Between Patch Tuesdays
New Product Support: Adobe Flash Pepper Plugin and Debugger, CoreFTP 2
x64, Foxit PhantomPDF 7, AutoCAD 2016 and 2017, Nitro Pro 10
Security Updates: Chrome (2), FireFox (3), Thunderbird, Flash Pepper Plugin,
Skype (2), Apache Tomcat, Flash Player (2), Java, WireShark, FileZilla (2),
TortoiseSVN
Non-Security Updates: Microsoft (70+), Dropbox, GoToMeeting, CoreFTP,
BoxSync, LibreOffice, Google Drive, GoodSync (2), CCleaner, HipChat,
PDFXchange, TeamViewer, Citrix XenApp, KeePass, AutoCAD, Citrix Receiver,
Nitro Pro
Security Tools: QuickTime removal tool
28.
29. • Why should you attend?
• Great Value:
• Two days of hands on and deep dive
product sessions for less than one day of
consulting services
• Interaction with Shavlik Product
Managers and Systems Engineers
• Tech-Summit Pass $995
• And, of course, because its Vegas baby!
• For details see:
• http://www.shavlik.com/tech-summit/
30. Resources and Webinars
Get Shavlik Content Updates
Get Social with Shavlik
Sign up for next months
Patch Tuesday Webinar
Watch previous webinars
and download presentation.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
Ensure that your Internet Explorer version is at the latest for the OS you are installed on. Microsoft is only updating the latest version for each supported OS since January 2016. For details please see: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer
User Targeted - Privilege Management Mitigates Impact
CVE-2016-0189 (Exploited) – Scripting Engine Memory Corruption
Multiple remote code execution vulnerabilities exist in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory.
CVE-2016-0188 (Publicly Disclosed) – Security Feature Bypass
A security feature bypass vulnerability for Internet Explorer exists in the User Mode Code Integrity (UMCI) component of Device Guard, when it improperly validates code integrity. An attacker who successfully exploited this vulnerability could execute unsigned code that would normally be blocked by UMCI.
To exploit the vulnerability, an attacker could run unsigned malicious code as though it were signed by a trusted source. The updates address the vulnerability by correcting how Internet Explorer validates code integrity.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User targeted vulnerabilities – Privilege Management Mitigates Impact
Multiple Scripting Engine Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the Chakra JavaScript scripting engine handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
CVE-2016-0189 (Exploited) - Multiple Scripting Engine Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities.
The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
Multiple Microsoft Office Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. The security update addresses the vulnerabilities by correcting how Office handles objects in memory.
Microsoft Office Graphics RCE Vulnerability - CVE-2016-0183
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability, and then convince a user to view the website. An attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by getting the user to click a link in an email or in an Instant Messenger message that takes the user to the attacker's website, or by opening an attachment sent through email.
In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince a user to open the document file.
Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0183. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
Multiple Windows Graphics Component Information Disclosure Vulnerabilities
Information disclosure vulnerabilities exist when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerabilities could obtain information to further compromise the user’s system.
There are multiple ways an attacker could exploit the vulnerabilities, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The update addresses the vulnerabilities by correcting how the Windows GDI component handle objects in memory.
CVE-2016-0170, CVE-2016-0195, CVE-2016-0184
There are multiple ways an attacker could exploit the vulnerability:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in the memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
Windows Journal Memory Corruption Vulnerability- CVE-2016-0182
A remote code execution vulnerability exists in Microsoft Windows when a specially crafted Journal file is opened in Windows Journal. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
For an attack to be successful, this vulnerability requires that a user open a specially crafted Journal file with an affected version of Windows Journal. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Journal file to the user, and then convincing the user to open the file. The update addresses the vulnerability by modifying how Windows Journal parses Journal files.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
Windows Shell Remote Code Execution Vulnerability – CVE-2016-0179
A remote code execution vulnerability exists when Windows Shell improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or Instant Messenger message that takes them to the attacker's site. The security update fixes this vulnerability by correcting how Windows Shell handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted
To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome.
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
CVE-2016-0149 (Publicly Disclosed)
TLS/SSL Information Disclosure Vulnerability - CVE-2016-0149
An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic.
To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.
Important Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments.
In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464 https://support.microsoft.com/kb/3155464.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted
To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome.
A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
Privilege Management Mitigates Impact
Windows DLL Loading Remote Code Execution Vulnerability - CVE-2016-0152
A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application. The security update addresses the vulnerability by correcting how Windows validates input when loading certain libraries.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
User Targeted - Privilege Management Mitigates Impact
Windows Media Center Remote Code Execution Vulnerability - CVE-2016-0185
A vulnerability exists in Windows Media Center that could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could take control of an affected system. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Workstations are primarily at risk of this vulnerability.
To exploit the vulnerability, user interaction is required. In a web-browsing scenario, a user would have to navigate to a compromised website that an attacker is using to host a malicious .mcl file. In an email attack scenario, an attacker would have to convince a user who is logged on to a vulnerable workstation to click a specially crafted link in an email. The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
Windows Kernel Elevation of Privilege Vulnerability - CVE-2016-0180
An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
RPC Network Data Representation Engine Elevation of Privilege Vulnerability - CVE-2016-0178
An elevation of privilege vulnerability exists in the way that Microsoft Windows handles specially crafted Remote Procedure Call (RPC) requests. A privilege elevation can occur when the RPC Network Data Representation (NDR) Engine improperly frees memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An unauthenticated attacker could exploit the vulnerability by making malformed RPC requests to an affected host. The update addresses this vulnerability by modifying the way that Microsoft Windows handles RPC messages.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
Multiple Win32k Elevation of Privilege Vulnerabilities
Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerabilities, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control over an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
Win32k Information Disclosure Vulnerability - CVE-2016-0175
A security feature bypass vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object.
To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses.
Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability – CVE-2016-0176
An elevation of privilege vulnerability exists when the DirectX Graphics kernel subsystem (dxgkrnl.sys) improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.
An attacker who successfully exploited this vulnerability could run processes in an elevated context. The update addresses the vulnerability by correcting the way in which the Microsoft DirectX graphics kernel subsystem handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
Windows 10 only, will show up in Protect scans as CSWU-024 on windows 10 systems.
Hypervisor Code Integrity Security Feature Bypass – CVE-2016-0181
A security feature bypass vulnerability exists when Windows incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with Hypervisor Code Integrity (HVCI) enabled.
To exploit this vulnerability, an attacker could run a specially crafted application to bypass code integrity protections in Windows. The security update addresses the vulnerability by correcting security feature behavior to preclude the incorrect marking of RWX pages under HVCI.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks.
Remote Desktop Protocol Drive Redirection Information Disclosure Vulnerability - CVE-2016-0190
An information disclosure vulnerability exists in Microsoft Windows when a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user. An attacker who successfully exploited this vulnerability could obtain access to file and directory information on the mounting user’s USB disk. This update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.
Use registration code “Int2016Shavlik”
Sign up for Content Announcements:
Email http://www.shavlik.com/support/xmlsubscribe/
RSS http://protect7.shavlik.com/feed/
Twitter @ShavlikXML
Follow us on:
Shavlik on LinkedIn
Twitter @ShavlikProtect
Shavlik blog -> www.shavlik.com/blog
Chris Goettl on LinkedIn
Twitter @ChrisGoettl
Sign up for webinars or download presentations and watch playbacks:
http://www.shavlik.com/webinars/