Microsoft today released a lucky 13 bulletins for April, with six rated critical and the others important. In total, Microsoft patched 29 unique CVEs for this round, with the most anticipated patch tied to Badlock.
Microsoft addressed a number of critical browser vulnerabilities found in Internet Explorer and Edge. In the case of IE, Microsoft warned (MS16-037) the browser could allow remote code execution if a user views a specially crafted webpage.
As for the Edge (MS16-038) bulletin, Microsoft said it has fixed a vulnerability tied to the way the browser handles objects in memory and how it handles cross-domain policies. Either could give attackers the same user rights as the current user and allow for remote code execution.
Other impacted software for the remaining critical patches include Adobe Flash Player (MS16-050), Microsoft Office (MS16-042), Microsoft XML Core Services (MS16-040) and Microsoft Graphics Component (MS16-039).
Celebrity vulnerability Badlock was the most anticipated of the lot. The vulnerability (MS16-047) is a man-in-the-middle attack that targets Remote Procedure Call traffic and allows attackers to force a downgrade of the authentication level of the SAM and LSAD channels, and then allow an attacker to impersonate an authenticated user. Badlock, despite the hype, fell flat and was rated only important by Microsoft.
More critical bulletin was in Microsoft Office (MS16-042) that allowed an attacker to cook-up a special Microsoft Office file that if opened would unleash an attack allowing for arbitrary code run on a targeted system.
Perennial vulnerability candidate Adobe Flash Player also received a critical (MS16-050) update. This security update resolved issues tied to the way the player installed on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Microsoft would only say the update fixed Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
Another critical update (MS16-040) is tied to Microsoft XML Core Service, a set of services that allow applications written in Jscript, VBScript and Microsoft development tools to be used together to build Windows-native XML-based applications. Microsoft said the vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system.
The last critical vulnerability mentioned is tied to Microsoft Graphics Component (MS16-039) and the way the feature interacts with Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. Microsoft said it fixed how the Windows font library handles embedded fonts. It wrote, a specially crafted document could allow for remote code execution. It also noted, if a webpage contained a specially crafted embedded font, it could be game over for an Office user who would then be vulnerable to a remote attack.
Important patches addressed a denial of service vulnerability flaw found in way Microsoft handles HTTP.sys (MS16-049). Another important fix addressed a Client/Server Run-Time Subsystem flaw (MS16-048) that could allow security features to be bypassed if an attacker logs on to a targeted system and runs a specially crafted application.
Microsoft also said important updates included (MS16-046), a Secondary Logon flaw that could allow an attacker to run arbitrary code as an administrator. Of interest to enterprise customers, was the important update that fixed Windows Hyper-V virtualization software (MS16-045). According to Microsoft the vulnerability allowed attackers to create specially designed application that cause the Hyper-V software to run arbitrary code.
The last two include important vulnerabilities related to Microsoft Windows OLE (MS16-044) and .NET Framework (MS16-041). In the case of the Microsoft Windows OLE flaw, the vulnerability could allow an attacker to execute malicious software on a targeted system after the victim was tricked into clicking on a specially crafted program embedded in an email or website. In the case of the .NET Framework vulnerability, an attacker could gain local system access if a victim launched a malicious application.