Microsoft pushed out 16 bulletins on Tuesday addressing 44 different vulnerabilities in its software, including Windows, Exchange Server, Office, Edge, and Internet Explorer.

Five of the bulletins have been branded critical because each vulnerability associated with them could be used to carry out remote code execution; the remaining 11 are marked important.

According to experts, one of the more concerning critical fixes involves a use after free vulnerability that affects Microsoft Windows DNS server for Windows Server 2012 and 2012 R2. If an attacker sent a specially crafted request to a DNS server, they could convince it to run arbitrary code, Microsoft’s advisory warns.

“Organizations that run their DNS server on the same machine as their Active Directory server need to be doubly aware of the danger of this vulnerability,” Wolfgang Kandek, CTO at Qualys, warned Tuesday afternoon.

Microsoft fixed the issue by modifying how the servers handle requests. Users should update but since most Windows DNS servers don’t face the internet and most admins use them for internal traffic the issue shouldn’t be an immediate concern.

Another critical issue, MS16-070, affects Microsoft Office and could allow an attacker to run arbitrary code and take control of an affected system if the user was logged on with admin rights. An attacker could trigger an exploit merely by sending a Microsoft Word RTF file to a user. Microsoft acknowledges the preview pane is an attack vector and that the flaw could be triggered with a simple e-mail without user interaction.

If for some reason users can’t apply the patches for MS16-070 right away, as a workaround, Microsoft is encouraging users to use Office’s File Block policy to prevent Office from opening .RTF documents from unknown or untrusted sources.

Two more of the critical bulletins, cumulative security updates for Microsoft’s browsers Internet Explorer and Edge, address multiple remote code execution vulnerabilities.

In Edge, the browser’s Content Security Policy fails to properly validate some documents and the Chakra JavaScript engine has difficulty rendering when it handles objects in memory. According to Microsoft’s advisory a few vulnerabilities also exist with regard to how Edge parses .PDF files.

The Internet Explorer fixes mostly pertain to memory corruption vulnerabilities, especially in engines like JScript 9, JScript, and VBScript.

The number of bulletins released by Microsoft are about on par with its May release, when it pushed out 17 bulletins, eight of which were critical. That release included a patch for a JScript and VBScript scripting engine vulnerability that was being publicly exploited. As far as Microsoft is aware, none of exploits this month’s patches fix are being exploited in the wild.

Microsoft pushed out the updates the same day that Adobe rolled out patches for its DNG Software Development Kit, Brackets, Creative Cloud Desktop App, and hotfixes for ColdFusion. A patch for Flash Player, intended to remedy a vulnerability Adobe claims is being exploited in “limited, targeted attacks” was expected today but will arrive later this week.

The remaining bulletins were marked important by Microsoft today:

  • MS16-072 – patches a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.
  • MS16-073 – patches vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
  • MS16-074 – patches vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website.
  • MS16-075 – patches a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.
  • MS16-076 – patches a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.
  • MS16-077 – patches vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.
  • MS16-078 – patches a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
  • MS16-079 – patches vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.
  • MS16-080 – patches vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user. However, an attacker would have no way to force a user to open a specially crafted .pdf file.
  • MS16-081 – patches a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.
  • MS16-082 – patches a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.

Categories: Vulnerabilities, Web Security