icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

February Patch Tuesday plugs holes in Adobe Flash, Office

Microsoft, taking a cue from Google, elevates fixes for Adobe Flash with a security bulletin in February.

Microsoft released 13 security bulletins, including six ranked critical, for February Patch Tuesday.

One of the critical bulletins addressed an update for Adobe Flash Player, closing 23 critical vulnerabilities to prevent an attacker from overtaking a user's system.

The MS16-022 bulletin for Adobe Flash Player spans all supported versions of Windows, with a patch to update the vulnerable Adobe Flash libraries in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge Web browsers. It appears Microsoft is now taking more responsibility for security holes in one of the Internet's most targeted applications.

Microsoft has updated Flash Player since September 2012, but always as a new update to the existing security advisory 2755801.

It's interesting that Microsoft is now promoting Flash fixes to its own security bulletin, said Russ Ernst, director of product management with HEAT Software in Milpitas, Calif. 

"Microsoft has skirted the line between issuing security bulletins for their own applications, and yet, Flash Player is so engrained in Internet Explorer that they had to do something to keep the Adobe component updated inside their own applications," he said.

This shift in supplying patches for another company's software isn't unique. Google has added fixes for Adobe Flash to its Chrome browser, which may have spurred Microsoft's decision to make Adobe Flash a first-class citizen in its bulletin releases.

"Google was unconventional [with this update process] at the time," said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif. "They said, 'What's the big danger? The big danger is Adobe Flash, and people aren't updating it.' Google said they could do this update in Chrome, which has an automatic update engine."

This observation highlights another shift with how Microsoft has decided to handle patches since it released Windows 10 in 2015 -- all the Windows 10 updates are packaged in a single release.

"You can't pick and choose the individual bulletins like you can with the older platforms, like Windows 7 and Windows 8," Ernst said, adding "once you're on Windows 10, you don't have a choice [with patches.] You're only getting things in lumps."

While administrators may not like how Microsoft has aggressively pushed Windows 10 and its consequent method of patching, there is a strong argument in favor of upgrading machines to Windows 10. The 2015 Verizon 2015 Data Breach Investigations Report showed 99% of system exploits happened where patches were available that would have prevented those vulnerabilities.

"That's a staggering statistic," Ernst said. "If I was fully patched, I would be resistant to 99% of the attacks out there. Keeping your machines fully patched is absolutely the best way to keep your environment secure."

Critical exploit closed in Microsoft Office

Bulletin MS16-015 deals with seven vulnerabilities in Microsoft Office in Word, Excel and SharePoint. Three of these vulnerabilities are critical, and deal with remote code execution attacks through Microsoft Word's rich text format (RTF). A user who selects an email from Microsoft Outlook to view it from the preview pane can trigger the attack without any further interaction.

Microsoft typically has rated Office exploits as important, but due to the elevated nature of this exploit, it was elevated to critical status.

"All you have to do is scroll through your emails. The selected email will get displayed automatically in the preview pane, and then the attack could be running," Kandek said.

The damage to an organization's system could be substantial if the affected user has administrator rights. Kandek recommended that administrators set up Outlook to read emails in plain text and disable RTF files in Microsoft Word through File Block Policy to protect systems from future exploits in this area.

Other critical bulletins: IE and Edge, PDF Reader, Journal

Microsoft also released cumulative security updates for both Internet Explorer in MS16-009 and for the Microsoft Edge in bulletin MS16-011. In each instance, users who go to a specially crafted website could allow an attacker to perform a remote code execution to acquire the same rights as the affected user.

In bulletin MS16-009, the severity of the exploit on Internet Explorer 9 and Internet Explorer 11 is critical on supported Windows client operating systems. For supported Windows Server systems, the severity is rated as moderate.

Administrators should heed that earlier versions of Internet Explorer are no longer supported by Microsoft, making users more vulnerable to attacks.

MS16-012 is another critical update to close a vulnerability in the Microsoft PDF Reader that affects Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2012 R2. The update prevents an exploit by adjusting the handling of memory during API calls to the PDF library, and by changing how Windows Reader interprets files.

The final critical update, MS16-013, prevents an exploit through Microsoft Journal if a user opens a specially crafted .JNL file. It is rated as critical for all supported versions of Windows.

Important bulletins for Windows operating systems

MS16-014 resolves vulnerabilities in all supported versions of Windows -- from Vista to Windows 10 -- that could allow remote code execution if an attacker is able to run a specially crafted application. Windows Server Technical Preview 4 also is affected, and customers running TP4 are encouraged to apply the update via Windows Update.

MS16-016 resolves an elevation-of-privilege vulnerability in the Microsoft Web Distributed Authoring and Versioning client that could allow an attacker to execute arbitrary code with elevated permissions. The bulletin is rated important for Windows Vista, Windows Server 2008 and 2008 R2, and Windows 7. The update is rated moderate for Windows 8.1 and 8.1 RT, Windows Server 2012 and 2012 R2, and Windows 10.

MS16-017 addresses a flaw that could allow elevation of privilege if an authenticated attacker logs on to a target system using Remote Desktop Protocol and sends specially crafted data over the connection. Systems that do not have RDP enabled are not at risk.

MS16-018 addresses a vulnerability that could allow elevation of privilege if an attacker is able to run a specially crafted program on an affected system. If attackers gain access to the system, they can install programs, create new accounts with full user rights or view, or change and delete data. All supported versions of Windows, as well as TP4, are affected.

Bulletin MS16-019 addresses a denial-of-service vulnerability when the .NET Framework fails to properly handle certain Extensible Stylesheet Language Transformations. An attacker who successfully exploits the flaw could cause the server's performance to degrade significantly to the point of denial of service.

Security bulletin MS16-020 resolves a vulnerability in Active Directory Federation Services that could allow denial of service if an attacker sends certain input data to the ADFS server during forms-based authentication.

The last important bulletin, MS16-021, resolves a flaw that could cause denial of service on a Network Policy Server if an attacker sends specially crafted username strings to the NPS, preventing it from authenticating RADIUS.

While it's still too early to call it a trend, Microsoft has released more patches at this point this year (22) than the same period last year (17). According to Ernst, at this rate, Microsoft could surpass the record number of 135 bulletins it issued in 2015.

Next Steps

Check out the bulletins from January 2015 Patch Tuesday

Read about the end of life for Internet Explorer 8, 9, 10

Get to know the common Office 2013 problems

Dig Deeper on Enterprise infrastructure management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you feel about the way Microsoft is handling patches with Windows 10?
Releases it in bundles no longer can test patches individually  before integrating them
I'm delighted their CYA patches are fixing the problems Microsoft left behind. I'm really annoyed that I was conned into buying software that needed constant repairs. 

I know there's a lemon law for cars - why don't we have one for software...?
I have to agree with one of the comments.  I have had too many of the patches break more than they have actually fixed.  This occurs very much so on Enterprise level, and we have turned off the patches until the patches can be tested, then we allow the patching to be done.

I wonder how many of us would still have jobs if we put out code that was that flawed? If you have to dedicate a day of the week for patching your code, I say you're doing something wrong.
"AWFUL"  when will tis madness stop with "ALL" of these windows  additives such as bug fixes that's why we have software for that purpose Sorry
A lot of security folks are of the opinion that applying all patches is one way to maintain a secure environment. But does the new approach to Windows 10 patching cause more harm than good?
@TomWalat - Good point. This is so difficult to quantify and I think the only people who truly know are the ones experiencing the issues in the trenches. Those stories probably make up 99% of what we DON'T hear about.

@ncberns - Agreed. If we had a lemon law for software we'd have a fraction of the security issues we now experience. I'm not one for government intervention in the free market. The free market is putting up with this stuff, but the reality is,
software quality/security is such a complex topic that it's practically impossible to quantify, resolve, or guarantee. Too many moving parts.
From what I have still been hearing from other is they are surprised at the number patches for a new OS. Why weren't these caught before it's release?
I just had another patch break on my Win 10 machine.  While I understand that you cannot test for every occurrence, the shear number of issues is appalling.  Windows update will also block patches for non-microsoft apps.
Looks like their patching practices and reliability are no different than any other previous OS release. Some work and some break things.. Apply at your own risk.