Microsoft released a baker’s dozen worth of security bulletins on Tuesday, including five rated critical and two rated important that could result in remote code execution attacks against compromised machines.
Two of the bulletins rated critical address flaws in Internet Explorer and Microsoft Edge. The IE bulletin, MS16-023, patches 13 vulnerabilities in the browser, all of which are memory corruption flaws impacting IE 9-11, including IE 11 on Windows 10. More than half of the 13 flaws do not impact IE 9 or 10, Microsoft said, but those that do are in line for attacks resulting in remote code execution. None of the flaws have been publicly disclosed or exploited.
The same goes for MS16-024, the Microsoft Edge bulletin. All 11 flaws are memory corruption vulnerabilities and five of those are also applicable to IE, Microsoft said. Edge also is vulnerable to an information disclosure vulnerability, CVE-2016-0125, enabled by Edge’s improper handling of the referrer policy. An attacker could use this flaw to learn about the request context or browsing history of a user, Microsoft said.
The memory corruption flaws affecting both browsers, Microsoft said, are related to the way IE and Edge access objects in memory. An attacker hosting an exploit online would have to convince the victims to view the site, either via phishing, drive-by download attacks, or instant messages with links to the malicious sites. Successful exploits give the attacker the same privileges as the user.
Microsoft also issued a bulletin, MS16-026, patching two flaws in Windows Graphic Fonts. A user would have to open a crafted document to exploit the flaw or view a website hosting maliciously crafted embedded OpenType fonts.
Only one of the OpenType Font Parsing vulnerabilities, CVE-2016-0121, is rated critical and leads to remote code execution; the other, CVE-2016-0120, is a denial-of-service issue and is rated moderate by Microsoft.
The flaw exists in Windows because of the way the Windows Adobe Type Manger Library handles these specially crafted fonts, Microsoft said, and a successful exploit could allow an attacker to install malware, manipulate data, or create new accounts.
A separate update, MS16-027, patches two flaws in Windows Media that can be exploited via malicious media content to gain remote code execution. Neither CVE-2106-0101, nor CVE-2016-0098, has been publicly attacked, Microsoft said, adding that the patch corrects the way Windows handles resources in the media library.
The final bulletin rated critical by Microsoft, MS16-028, addresses two flaws in the Windows PDF Library that could be exploited to gain remote code execution if a user is tricked into opening a malicious .pdf file.
Qualys CTO Wolfgang Kandek cautioned that organizations should prioritize MS16-026, MS16-027 and MS16-0280.
“They all attack complex formatting issues in the Windows Media Player in the MPEG video format, in the OpenType fonts with a circular reference abusing recursion and in the PDF reader missing boundary check in the PostScript interpreter,” he said. “The continuous stream of vulnerabilities in these areas indicates just how complex the media formats are that we dealing with everyday.”
MS16-029, meanwhile, patches three flaws in Office and Office Services and Web Apps, two of which lead to remote code execution via memory corruption issues and another that bypasses security features. This update also includes a new version of Microsoft Word, which has been a vehicle used in many targeted attacks.
“Word is frequently used to carry exploits, both in online documents as well as e-mail attachments,” Kandek said. “The vulnerabilities allow the attacker to get RCE on the target machines and should be addressed as quickly as possible.”
The security feature bypass affects versions of Office dating back to 2007.
“A security feature bypass vulnerability exists in Microsoft Office software due to an invalidly signed binary. An attacker who successfully exploited the vulnerability could use a similarly configured binary to host malicious code,” Microsoft said. “A defender would then not be able to rely on a valid binary signature to differentiate between a known good and a malicious binary.”
The final bulletins addressing remote code execution flaw in Windows are MS16-025 and MS16-030. MS16-025 patches a vulnerability in Windows, which occurs because the OS fails to validate input before loading certain libraries. An attacker would need local access to exploit the bug by launching a malicious application, Microsoft said. MS16-030 patches two flaws in Windows OLE that could lead to remote code execution, because it too fails to validate user input.
The remaining bulletins were rated important by Microsoft:
- MS16-031 patches an elevation of privilege vulnerability in Windows
- MS16-032 patches another elevation of privilege bug, this one in the Windows Secondary Logon Service
- MS16-033 patches a flaw in the Windows USB Mass Storage Class Driver that can be exploited with a USB device to gain privilege escalation.
- MS16-034 patches four vulnerabilities in Windows Kernel-Mode Drivers that can be abused to elevate privileges
- MS16-035 is a security update for .NET that patches a security feature bypass in the development framework.