J003-Content-PatchTue_SQTime marches on – although these days it seems to be moving at a flat-out run sometimes – and here it is, already March and the first quarter of this year is nearly gone. The past few weeks have been filled with news regarding various security vulnerabilities. Interestingly, many of these – such as those exploited by KeRanger and the GNU C Library flaw – affect operating systems other than Microsoft’s. Others, such as DROWN, can threaten servers across different OS platforms, including Windows (the good news is that SSLv2, where the weakness lies, is disabled by default on IIS 7.0 and above).

That aside, Microsoft has its share of vulnerabilities this month and, not to be deterred by superstition, released 13 updates to address them. Most are for Windows, along with the usual cumulative updates for the Internet Explorer and Edge web browsers and one patch for Office and associated services and servers.

Five of this month’s updates are rated critical, with the other eight being rated important.  We see many remote code execution vulnerabilities and as usual, many of these are due to memory corruption issues. There are also several elevation of privilege and security feature bypass vulnerabilities. In total, these thirteen updates address 44 vulnerabilities.

Now let’s take a look at each of these patches in more detail. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at  https://technet.microsoft.com/en-us/library/security/ms16-mar.aspx

Critical

MS16-023 (KB 3142015) This is the usual cumulative update for Internet Explorer that we have come to expect every month. It applies to IE 9, 10 and 11 running on Windows Vista, 7, 8.1 and 10 as well as RT 8.1, and Windows Server 2008, 2008 R2, 2012 and 2012 R2. It is rated critical on client machines and moderate on servers.

“Lucky (or unlucky) 13” seems to be the number of the day, as we see it pop up again in the number of vulnerabilities that are addressed by this patch. All of these are memory corruption issues, and can be exploited to accomplish remote code execution that could allow an attacker to take control of the system. The exploit can be done through an attacker-hosted website or by taking advantage of legitimate sites that allow user-provided content or ads.

The update fixes the problems by changing the way IE handles objects in memory. There are no identified mitigations or workarounds.

MS16-024 (KB 3142019) This is a cumulative update for the new Edge browser, similar to the IE cumulative update. Of course it only applies to Windows 10 machines since Edge only runs on that OS. This includes 32 and 64 bit Win 10 and also version 1511.  It is rated critical on Windows 10.

The update addresses fewer vulnerabilities than the IE update – 11 in total. All except one of these are memory corruption issues, and the other is an information disclosure vulnerability. The memory corruption issues can be exploited to accomplish remote code execution, thus the critical rating on Windows 10 clients.

The update fixes the problems by changing the way Edge handles objects in memory and also by changing the way it handles the referrer policy so that attackers won’t be able to leverage it to find out information about the request context or browsing history of users. There are no identified mitigations or workarounds.

MS16-026 (KB 3143148) This is an update for Graphic Fonts in Windows that affects all supported versions of the Windows client and server operating system: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations. It is rated critical for both client and server OS.

The update addresses a pair of vulnerabilities in OpenType font parsing when the Windows Adobe Type Manager Library doesn’t handle specially crafted fonts of this type properly.  This could allow an attacker to create a denial of service (DoS), unless the system is running Windows 10. In that case, the application would stop responding but the entire system would not be affected.

The update fixes the problem by changing the way the Adobe Type Manager Library handles OpenType fonts. If you’re unable to apply the update, there is a published workaround that involves renaming the ATMFD.DLL or on Windows 8 and above, disabling ATMFD. You can find instructions in the security bulletin here: https://technet.microsoft.com/en-us/library/security/ms16-026.aspx

MS16-027 (KB 3143146) This is an update for Windows Media that affects all supported editions of Windows 7 and above client operating systems and Windows 2008 R2 and above server operating systems. Windows Vista and Server 2008 are not affected. It is rated critical for all affected systems.

This update addresses two Windows Media parsing vulnerabilities that can be exploited to achieve remote code execution and thus take over control of a system. The user would have to open specially crafted media content, which could be on an attacker-hosted website or in an email attachment.

The update fixes the problem by changing the way Windows handles resources in the media library. There are no identified mitigations or workarounds.

MS16-028 (KB 3143081) This is an update for the Windows PDF Library that affects Windows 8.1 (including RT 8.1) and Windows 10, and Windows Server 2012 and 2012 R2. Older versions of Windows are not affected, but the server core installation of Windows Server is. It is rated critical for both client and server operating systems.

This update addresses two vulnerabilities by which an attacker could achieve remote code execution and take over control of a system if a user who is logged on with admin rights opens a specially crafted PDF file.

The update fixes the problem by changing the way Windows parses PDF files. There are no identified mitigations or workarounds.

Important

MS16-025 (KB 3140709) This is an update for the Windows Library Loading component that affects only Windows Vista and Server 2008. Since the installed base for both operating systems is relatively low in comparison to newer versions of Windows, the impact is limited. However, this is still a remote code execution vulnerability so it’s rated important on both the client and server.

The update addresses a single vulnerability, which could be exploited to take control of a Vista or Windows 2008 computer, but the good news is that the attacker would first have to get access to the local system with privileges allowing him to execute an application. That lessens the probability of exploit, and no exploits have been found in the wild.

The update fixes the problem by changing the way Windows validates inputs when loading certain libraries. There are no identified mitigations or workarounds.

MS16-029 (KB 3141806) This is an update for Microsoft Office that affects Office 2007, InfoPath 2007, Word 2007, Office 2010 SP2, InfoPath 2010 SP2, Word 2010 SP2, Office 2013 SP1, InfoPath 2013 SP1, Word 2013 SP1, Office 2013 RT, Office 2016, Word 2016, Office for Mac 2011 and 2016, the Office Compatibility Pack SP3 and Word Viewer. It also affects SharePoint Server 2010 and 2013, and Office Web Apps 2010 and 2013. It is rated important for all affected software and services.

This update address three vulnerabilities, two of which are memory corruption issues and one that’s a security feature bypass. The memory corruption vulnerabilities could allow an attacker to achieve remote code execution and take over control of a system if a user who is logged on with admin rights opens a specially crafted file with an affected version of Office.  The security feature bypass is related to an invalidly signed binary by which an attacker who has write access to the location where it’s stored could overwrite the original file with a malicious binary.

The update fixes the problems by changing the way Office handles objects in memory and providing a validly signed binary.  There are no identified mitigations or workarounds.

MS16-030 (KB 3143136) This is an update to Windows Object Linking and Embedding (OLE) that affects currently supported versions of Windows client and server operating system: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations. It is rated important for both client and server OS.

This update addresses two OLE memory issues that could be exploited by an attacker to remotely execute malicious code if able to convince a user to open a specially crafted file or program from an email message or web page.

The update fixes the problem by changing the way Windows OLE validates user input. There are no identified mitigations or workarounds.

MS16-031 (KB 314010) This is an update to Windows that affects Windows Vista and 7 as well as Server 2008 and 2008 R2 (including the server core installation). More recent versions of the operating system are not affected. The update is rated important for all affected systems.

This update addresses a single elevation of privilege vulnerability that occurs when Windows doesn’t properly sanitize handles in memory. This could allow an attacker to run code in the context of the System and install programs, access or delete data and create new user accounts. The good news is that the attacker would have to be able to log onto the system to exploit the vulnerability.

The update fixes the problem by changing the way Windows sanitizes handles in memory. There are no identified mitigations or workarounds.

MS16-032 (KB 3143141) This is an update to Windows that affects all supported versions of Windows client and server operating system: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations. It is rated important for both client and server OS. The update is rated important for all affected systems.

This update addresses a single vulnerability in the Secondary Logon Service by which an attacker could achieve elevation of privileges when the SLS doesn’t properly manage request handles in memory. An attacker must be able to log onto the system in order to exploit the vulnerability, but if able to do so, could run code as an admin and take control of the system.

The update fixes the problem by changing the way Windows handles request handles in memory. There are no identified mitigations or workarounds.

MS16-033 (KB 3143142) This is an update to the Windows USB Mass Storage Class Driver that affects all supported versions of Windows client and server operating system: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations. It is rated important for both client and server OS. The update is rated important for all affected systems.

This update addresses a single vulnerability caused by improper validation of objects in memory by the USB Mass Storage Class driver that can be exploited to elevate privileges and run arbitrary code in kernel mode, thus allowing the attacker to install programs, access and delete data or create new user accounts. The attacker would need physical access to the target system, which limits the threat.

The update fixes the problem by changing the way the Windows USB Mass Storage Class driver handles objects in memory. There are no identified mitigations or workarounds.

MS16-034 (KB 3143145) This is an update to the Windows kernel-mode drivers that affects all supported versions of Windows client and server operating system: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations. It is rated important for both client and server OS. The update is rated important for all affected systems.

This update addresses four different Win32k elevation of privilege vulnerabilities caused by failure of the kernel-mode driver to properly handle objects in memory. An attacker could exploit this to run arbitrary code in kernel mode, thus allowing the attacker to install programs, access and delete data or create new user accounts. The attacker would need physical access to the target system, which limits the threat.

The update fixes the problem by changing the way the kernel-mode driver handles objects in memory. There are no identified mitigations or workarounds.

MS16-035 (KB 3141780) This is an update to the .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1. It is rated important on all affected versions on all supported client and server operating systems: Vista, Windows 7, Windows 8/8.1, Windows RT 8.1, Windows 10, and Server 2008 through 2012 R2, including the server core installations.

This update addresses a single .NET XML validation issue that renders the system vulnerable to a security feature bypass when certain elements of a signed XML document are not properly validated. This could enable an attacker to change the contents of a signed XML file without invalidating the signature.

The update fixes the problem by changing the way the .NET Framework validates XML documents. There are no identified mitigations or workarounds.