Microsoft started off 2016 with a relatively light January Patch Tuesday, releasing nine security bulletins, with...
six rated critical by the Microsoft Security Response Center.
Administrators also should be aware that Microsoft will follow through on its plan to only support the highest version of Internet Explorer (IE) on each supported version of Windows after this round of patches.
Microsoft will also end patches for systems running Windows 8 this month. Administrators still managing Windows 8 must update to either Windows 8.1 or Windows 10 -- both are free from Microsoft -- to receive further security patches.
Clock runs out on IE
After today, Microsoft will only release security patches for the following:
- Internet Explorer 11 on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, Windows RT and Windows 10;
- Internet Explorer 10 on Windows Server 2012; and
- Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008.
Companies that choose to remain on an unsupported browser do so at their own peril.
Although the end of support isn't surprising, "there are still a decent amount of people who haven't moved away from these older browsers," said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif.
"We still see people on Windows 2003 and Windows XP, so I think it's going to be very similar, where people hold on to these browsers because it still works for them."
Two Windows-based critical vulnerabilities
Two of the critical updates deal with remote code execution (RCE) vulnerabilities in the Windows operating system. A user does not need to click on a dialog box or interact in any way other than visiting a website for these exploits to get triggered.
Bulletin MS16-005 deals with kernel-mode drivers, and is ranked as a critical vulnerability for supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2. A user on those operating systems who goes to a malicious website would be vulnerable to an exploit that focuses on how the Windows graphics device interface handles objects in memory.
Administrators should consider putting the patch for this exploit at the top of their priority list, because it is "publicly disclosed, which means that some knowledge of that vulnerability is already out there," said Amol Sarwate, director of engineering for Qualys.
Bulletin MS16-003 centers on a vulnerability in JScript and VBScript that could allow an intruder to execute code if a user running supported versions of Windows Vista, Windows Server 2008 or Server Core goes to a specially crafted website.
Security bulletin MS16-004 involves a vulnerability in Microsoft Office that could allow an attacker to run malicious code if a user opens a specially constructed Office file. If the user is logged in as an administrator, the damage from this exploit could be wide-ranging.
"If the attacker sends you a document in email or hosts a document online, and if that document is opened, then the attacker could take complete control of the victim's machine," Sarwate said.
Typically, Office bulletins are ranked important, which means the victim would have to interact with the document to trigger the attack, such as opening the document. This bulletin, however, indicates hackers have managed to bypass some of Microsoft's security mechanisms to make it less difficult to overtake a system.
Critical patches for Internet Explorer, Microsoft Edge
Two other patches center on critical vulnerabilities in both the Internet Explorer and Microsoft Edge browsers.
In security bulletin MS16-001, an attacker could use RCE after a user visits a specially crafted website. The hacker would then obtain the same rights as the user, which could be serious if that user is at the administrator level. This bulletin concerns systems that are running Internet Explorer 8, Internet Explorer 9, Internet Explorer 10 and Internet Explorer 11.
Bulletin MS16-002 addresses a vulnerability in the Microsoft Edge browser running on Windows 10 systems that could allow RCE if the user goes to a specially crafted website.
MS16-006, the last critical update, concerns a vulnerability in Microsoft Silverlight, which leaves a system susceptible to an attack that originates from a specially crafted Silverlight application.
MS16-007 deals with an important exploit in supported versions of the Windows operating system that could allow attackers to damage a system if they can log in to a machine and run a specially constructed application.
Bulletin MS16-008 updates all supported versions of Windows that are vulnerable to an elevation of privilege. If attackers enter the system, they could delete data, install programs or create an account that has full user rights.
The last bulletin, MS16-010, concerns an address-spoofing vulnerability in all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016. The patch from Microsoft will close an exploit with how Microsoft Exchange Outlook Web App authenticates Web requests.
Sharp-eyed sys admins will note that at first glance, Microsoft issued 10 bulletins, but there is a gap between bulletins MS16-008 and MS16-010.
"Normally, this happens when, very late in the process, a bulletin drops off and Microsoft cannot renumber it," Kandek said. "[Microsoft] ran into a snag with testing, most likely, and the patch wouldn't work on one of the platforms. Typically, it will come out next month, unless it's super urgent or exploited in the wild; [if so], then Microsoft would publish it out of band."
Patching tools can help, but not a cure-all
How to pull a bad patch with WSUS
Crucial security features in Windows Server 2016