Microsoft released a scant nine bulletins today for Patch Tuesday, but six of them are marked critical and seven can lead to remote code execution.
The updates, which address 25 vulnerabilities will be the last many who run Internet Explorer 8, 9, and 10 will receive unless they elect to update to a newer browser.
The patches, the first of 2016, affect a handful of programs, including Windows, Internet Explorer, Edge, Visual Basic, and Silverlight. In addition to remote code execution, if exploited, some of the vulnerabilities could lead to elevation of privilege and spoofing.
One of the more pressing critical updates, MS16-005, affects Windows’ kernel-mode drivers. An attacker could bypass the way the interface handles objects in memory and trigger an Address Space Layout Randomization (ASLR) bypass. The vulnerability could be exploited if an attacker convinced a user to visit a rigged site, sent a user a booby-trapped email, or tricked a user into navigating to a malicious file via a network share, Microsoft warns.
Five vulnerabilities in Microsoft Office are addressed by another critical bulletin, MS16-004. If a users’ Access Control Policy settings aren’t properly configured, an attacker could bypass multiple security features in SharePoint. Both Visual Basic and Office suffer from a bug – since patched – that could let an attacker bypass ASLR, while Office, and Office software like Visio, Excel, and Word are plagued by multiple remote code execution vulnerabilities – also patched.
Another critical vulnerability, MS16-006, addresses a runtime remote code execution vulnerability in Silverlight, Microsoft’s deprecated application framework. Kurt Baumgartner, Principal Security Researcher, at Kaspersky Lab’s GReAT is calling the bug this month’s “most interesting and most risky,” namely as it implicates those running the software on multiple platforms, including Apple.
Two other critical updates affect two bugs each in the Internet Explorer (MS16-001) and Edge (MS16-002) browsers. The IE updates – the last users running IE8, 9 and 10 will receive – resolve a memory corruption vulnerability in VBScript engine and an elevation of privilege vulnerability that comes as a result of not properly enforcing cross-domain policies. Only the first bug could enable an attacker to execute arbitrary code, officials warn. The Edge updates fix two memory corruption bugs, including one in the Chakra JavaScript engine, and another in Edge itself.
The last critical update, MS16-003, resolves the same vulnerability in VBScript that exists in Internet Explorer. Users who haven’t applied the IE update will want to apply this cumulative one, especially if they’re running Vista, Windows Server 2008, or Server Core installations of Windows Server 2008 R2.
As concerning as some of the critical vulnerabilities are, some experts are remaining focused on some of the issues marked “Important.”
“Personally, I’m keeping my eye on MS16-010,” Bobby Kuzma, CISSP, systems engineer at Core Security said Tuesday, “It’s only rated as important, but I know users and their [mis]behavior, and my spider senses are tingling from the possibilities.”
MS16-10 addresses four vulnerabilities in Exchange Server that can lead to spoofing. OWA fails to properly handle web requests, making it easier for an attacker to inject script or content and dupe the recipient of an email into disclosing sensitive information or visiting a shady site.
Craig Young, a security researcher at Tripwire’s Vulnerability and Exposure Research Team (VERT) warned of the issue on Tuesday as well.
“MS16-10 should be on the top of all Outlook Web Access (OWA) administrators. This patch closes [four] vulnerabilities that could lead to significant and direct financial losses through so called business e-mail compromise (BEC),” Young said, “The ability to make phishing emails legitimately appear to come from an internal address is a tremendous advantage for attackers.”
As you’ve no doubt already heard, the updates of course mark the end of life for IE 8, 9, and 10 – something that may wind up being a serious problem later down the line. It’s unclear whether attackers have been stowing away exploits for these older browsers, but it’s believed they’ll further scrutinize what Microsoft patches in IE 11 and use that as a blueprint of sorts for exploits going forward.
“It is also quite safe to assume that even without attackers stockpiling IE vulnerability information ahead of the support cut-off that attackers will easily learn new attack techniques by analyzing future IE 11 updates,” Young told Threatpost last Friday.