icetray - Fotolia

February Patch Tuesday plugs holes in Adobe Flash, Office

Microsoft, taking a cue from Google, elevates fixes for Adobe Flash with a security bulletin in February.

Microsoft released 13 security bulletins, including six ranked critical, for February Patch Tuesday.

One of the critical bulletins addressed an update for Adobe Flash Player, closing 23 critical vulnerabilities to prevent an attacker from overtaking a user's system.

The MS16-022 bulletin for Adobe Flash Player spans all supported versions of Windows, with a patch to update the vulnerable Adobe Flash libraries in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge Web browsers. It appears Microsoft is now taking more responsibility for security holes in one of the Internet's most targeted applications.

Microsoft has updated Flash Player since September 2012, but always as a new update to the existing security advisory 2755801.

It's interesting that Microsoft is now promoting Flash fixes to its own security bulletin, said Russ Ernst, director of product management with HEAT Software in Milpitas, Calif. 

"Microsoft has skirted the line between issuing security bulletins for their own applications, and yet, Flash Player is so engrained in Internet Explorer that they had to do something to keep the Adobe component updated inside their own applications," he said.

This shift in supplying patches for another company's software isn't unique. Google has added fixes for Adobe Flash to its Chrome browser, which may have spurred Microsoft's decision to make Adobe Flash a first-class citizen in its bulletin releases.

"Google was unconventional [with this update process] at the time," said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif. "They said, 'What's the big danger? The big danger is Adobe Flash, and people aren't updating it.' Google said they could do this update in Chrome, which has an automatic update engine."

This observation highlights another shift with how Microsoft has decided to handle patches since it released Windows 10 in 2015 -- all the Windows 10 updates are packaged in a single release.

"You can't pick and choose the individual bulletins like you can with the older platforms, like Windows 7 and Windows 8," Ernst said, adding "once you're on Windows 10, you don't have a choice [with patches.] You're only getting things in lumps."

While administrators may not like how Microsoft has aggressively pushed Windows 10 and its consequent method of patching, there is a strong argument in favor of upgrading machines to Windows 10. The 2015 Verizon 2015 Data Breach Investigations Report showed 99% of system exploits happened where patches were available that would have prevented those vulnerabilities.

"That's a staggering statistic," Ernst said. "If I was fully patched, I would be resistant to 99% of the attacks out there. Keeping your machines fully patched is absolutely the best way to keep your environment secure."

Critical exploit closed in Microsoft Office

Bulletin MS16-015 deals with seven vulnerabilities in Microsoft Office in Word, Excel and SharePoint. Three of these vulnerabilities are critical, and deal with remote code execution attacks through Microsoft Word's rich text format (RTF). A user who selects an email from Microsoft Outlook to view it from the preview pane can trigger the attack without any further interaction.

Microsoft typically has rated Office exploits as important, but due to the elevated nature of this exploit, it was elevated to critical status.

"All you have to do is scroll through your emails. The selected email will get displayed automatically in the preview pane, and then the attack could be running," Kandek said.

The damage to an organization's system could be substantial if the affected user has administrator rights. Kandek recommended that administrators set up Outlook to read emails in plain text and disable RTF files in Microsoft Word through File Block Policy to protect systems from future exploits in this area.

Other critical bulletins: IE and Edge, PDF Reader, Journal

Microsoft also released cumulative security updates for both Internet Explorer in MS16-009 and for the Microsoft Edge in bulletin MS16-011. In each instance, users who go to a specially crafted website could allow an attacker to perform a remote code execution to acquire the same rights as the affected user.

In bulletin MS16-009, the severity of the exploit on Internet Explorer 9 and Internet Explorer 11 is critical on supported Windows client operating systems. For supported Windows Server systems, the severity is rated as moderate.

Administrators should heed that earlier versions of Internet Explorer are no longer supported by Microsoft, making users more vulnerable to attacks.

MS16-012 is another critical update to close a vulnerability in the Microsoft PDF Reader that affects Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2012 R2. The update prevents an exploit by adjusting the handling of memory during API calls to the PDF library, and by changing how Windows Reader interprets files.

The final critical update, MS16-013, prevents an exploit through Microsoft Journal if a user opens a specially crafted .JNL file. It is rated as critical for all supported versions of Windows.

Important bulletins for Windows operating systems

MS16-014 resolves vulnerabilities in all supported versions of Windows -- from Vista to Windows 10 -- that could allow remote code execution if an attacker is able to run a specially crafted application. Windows Server Technical Preview 4 also is affected, and customers running TP4 are encouraged to apply the update via Windows Update.

MS16-016 resolves an elevation-of-privilege vulnerability in the Microsoft Web Distributed Authoring and Versioning client that could allow an attacker to execute arbitrary code with elevated permissions. The bulletin is rated important for Windows Vista, Windows Server 2008 and 2008 R2, and Windows 7. The update is rated moderate for Windows 8.1 and 8.1 RT, Windows Server 2012 and 2012 R2, and Windows 10.

MS16-017 addresses a flaw that could allow elevation of privilege if an authenticated attacker logs on to a target system using Remote Desktop Protocol and sends specially crafted data over the connection. Systems that do not have RDP enabled are not at risk.

MS16-018 addresses a vulnerability that could allow elevation of privilege if an attacker is able to run a specially crafted program on an affected system. If attackers gain access to the system, they can install programs, create new accounts with full user rights or view, or change and delete data. All supported versions of Windows, as well as TP4, are affected.

Bulletin MS16-019 addresses a denial-of-service vulnerability when the .NET Framework fails to properly handle certain Extensible Stylesheet Language Transformations. An attacker who successfully exploits the flaw could cause the server's performance to degrade significantly to the point of denial of service.

Security bulletin MS16-020 resolves a vulnerability in Active Directory Federation Services that could allow denial of service if an attacker sends certain input data to the ADFS server during forms-based authentication.

The last important bulletin, MS16-021, resolves a flaw that could cause denial of service on a Network Policy Server if an attacker sends specially crafted username strings to the NPS, preventing it from authenticating RADIUS.

While it's still too early to call it a trend, Microsoft has released more patches at this point this year (22) than the same period last year (17). According to Ernst, at this rate, Microsoft could surpass the record number of 135 bulletins it issued in 2015.

Next Steps

Check out the bulletins from January 2015 Patch Tuesday

Read about the end of life for Internet Explorer 8, 9, 10

Get to know the common Office 2013 problems

Dig Deeper on Enterprise infrastructure management