Microsoft released 16 bulletins, with eight tagged as critical, for May's Patch Tuesday.
Internet Explorer (IE) and Microsoft Edge received critical cumulative security updates addressing remote code execution (RCE) vulnerabilities that could give an attacker the same user rights as the current user. If the current user has administrative rights, the attacker could control the affected machine and install programs, or create new accounts with full user rights.
MS16-051, which resolved five vulnerabilities in IE, is rated critical for IE 9 and IE 11 on affected Windows clients. One of the critical vulnerabilities, CVE-2016-0189, is currently under attack in the wild.
"That's the one you want to install quickly. That's a no-brainer," said Wolfgang Kandek, CTO for Qualys Inc., in Redwood City, Calif.
MS016-052 resolved four critical vulnerabilities in Microsoft Edge, none of which are being exploited in the wild. The update addresses the vulnerabilities by modifying how the browser handles objects in memory.
MS16-054 resolved four vulnerabilities in Microsoft Office. An attacker who exploits the vulnerabilities could run arbitrary code in the context of the current user. However, users whose accounts have fewer rights could be affected less than users with administrative rights. There are two vulnerabilities that are in the Rich Text Format (RTF), which can be triggered through the Outlook preview pane without users actually having to open at attachment.
"[RTF] is a little bit difficult to defend because there are a lot of permutations and combinations you have to go through to thoroughly test it," said Amol Sarwate, director of engineering at Qualys. "RTF vulnerabilities have been attacked 10 years now. It's a little bit difficult to comprehend that we still see it."
Sarwate said RTF is vulnerable due to the combination of legacy features that have to be supported and new features that have been added. There is also a prevalence of Windows and RTF files on the Internet that make it a high target for attackers.
Remaining critical bulletins
MS16-055 resolved RCE vulnerabilities in Microsoft Graphics Component. The update is rated critical for all supported releases of Microsoft Windows. The update addresses the vulnerabilities by correcting how the Windows GDI and Imaging components handle objects in memory.
MS16-056 resolved RCE vulnerabilities in Windows Journal by modifying how it parses Journal files.
MS16-057 resolved RCE vulnerabilities in Windows Shell that target Windows Server 2012. An attacker can gain access to the system if a user opens a specially crafted website that accepts user-provided online content, or if the attacker can convince a user to open specially crafted content.
The final critical bulletin, MS16-064, resolved an RCE vulnerability in Adobe Flash Player. An attacker could host a specially crafted webpage designed to exploit the vulnerabilities through IE and convince a user to visit the page. Adobe said it is holding back its update because there is another vulnerability that is currently under attack that it wants to fix before rolling out that update.
Hole plugged in Internet Information Services
Of the important bulletins, MS16-058 caught the attention of security researchers due to its prevalence in many Windows environments. The patch for this update closes a hole in Windows Internet Information Services (IIS) for Windows Vista, Windows Server 2008 and Windows Server 2008 Server Core installations. IIS is the platform a number of organizations will use to host an intranet or to share documents with users across the Internet.
"I haven't seen an update for IIS for a while. This looks like a local vulnerability, where the attacker has to be on the system already. These systems tend to be well-managed, so I don't think it's a highly important bulletin, but just by being there, it stands out to us," Kandek said.
The remaining important bulletins
Bulletin MS16-059 targeted an RCE exploit in Windows Media Center on Windows Vista, Windows 7 or Windows 8.1, which allows a hacker to gain control of a workstation if a user opens a Media Center link (.mcl) file containing the harmful code.
The patch for the Windows Media Center file highlights the industriousness of a hacker who will concentrate on finding an opening in a less widely known component to in the Windows operating system.
"The hackers don't care if it's a Windows Journal file or some other weird format no one uses. They just need one person out of a thousand who will click on the document to run the exploit," Sarwate said.
Bulletin MS16-060 affects all supported releases of Microsoft Windows -- from Windows Vista to Windows Server 2016 Technical Preview 5 -- that could let an intruder perform an elevation of privilege on a system through a symbolic-link parsing flaw in the Windows kernel. After exploiting this vulnerability and granting higher-level access, the attacker could then delete, view or change data, install programs and create accounts with full user rights.
Bulletin MS16-061 closed the elevation-of-privilege vulnerability by adjusting how a Windows system handles Remote Procedure Call (RPC) requests. A hacker could overtake a system and create an account with full rights by passing a specially constructed RPC request to an unpatched system. This bulletin concerns all supported releases of Microsoft Windows, including Windows Server 2016 Technical Preview 5.
Bulletin MS16-062 corrected several memory-handling issues with Windows kernel-mode drivers that could allow an attacker to run an application to perform an elevation of privilege. This vulnerability affects all supported releases of Windows, including Windows Server 2016 Technical Preview 5.
Microsoft closed a man-in-the-middle vulnerability in the Microsoft .NET Framework on affected Microsoft Windows systems by changing how .NET handles encrypted network packets with bulletin MS16-065.
Bulletin MS16-066 issued a correction for the virtual secure mode feature in all supported versions of Windows 10 that could let an attacker avoid code-integrity protections by executing a specially crafted application.
The final important bulletin MS16-067 fixed a hole with the Volume Manager Driver in all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2 and Windows RT 8.1. On an unpatched system, an attacker could access files and folder information on a user's USB disk that was mounted over Remote Desktop Protocol via Microsoft RemoteFX.
Administrators are strongly advised to restart Windows systems after applying patches to complete the patch process.
Changes with Windows updates
In April, Microsoft sent an email informing customers that a security update for Microsoft Graphics Component that was released as bulletin MS16-039 had been revised.
The email also said, as of May's security bulletins, all Windows updates would be available only through the Microsoft Update Catalog, not through the Download Center. Sarwate said the change is not something that would affect either home users or corporate users, but it's a different way of getting updates.
For more information about the May Patch Tuesday security bulletins, visit Microsoft's Security TechCenter site.
Microsoft releases zero-day update for Adobe in April Patch Tuesday
IE 9 re-emerges in March Patch Tuesday
Adobe Flash update elevated in February Patch Tuesday