pixel_dreams - Fotolia

March Patch Tuesday closes holes in IE, Edge browsers

Despite ending support for Internet Explorer 9 in January, Microsoft continued to issue patches for the older browser.

Microsoft released 13 bulletins, including five critical updates to address remote code execution vulnerabilities, for March Patch Tuesday.

Both Internet Explorer (IE) and Microsoft Edge received critical cumulative security updates that addressed remote code execution (RCE) vulnerabilities. MS16-023 resolved 13 vulnerabilities in IE that could give an attacker the same user rights as the current user and allow the attacker to take control of the affected system.

Of the 13 vulnerabilities MS16-023 addressed, five are for IE 9, which was supposed to be decommissioned in January.

"[MS16-023] actually replaces MS16-009 from the last baseline. MS16-009 was the very first patch that included support for IE 9 after they officially depreciated the support," said Robert Brown, director of services for Verismic Software Inc., based in Aliso Viejo, Calif. "So, a lot of our customers are very happy, because they are not ready to upgrade Internet Explorer 9 yet."  

The second critical cumulative security update, MS16-024, resolved 11 vulnerabilities in the Edge browser that could give an attacker the same rights as the current user.

Both browsers have received cumulative security updates every month since September 2015. Because the Web gets more complicated, and because it is always changing, it makes it very challenging to patch, said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif. At this point, it is a certainty that the browsers will get an update every month.

Some vulnerabilities ranked more imperative  

Microsoft has its own scoring system, but it doesn't always recognize the severity of its vulnerabilities correctly, Brown said. Its ratings are not always in alignment with the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of a security vulnerability on a scale of zero to 10. MS16-023 has a CVSS of 9.3 and is rated as critical by Microsoft, but MS16-025 has the same CVSS and is only rated important.

Some security analysts said this important bulletin should be at the top of a Windows Server administrator's to-do list, because "that's a vulnerability in the Windows library that will affect Windows Server systems, even if no one is logged into it," Brown said.

MS16-025 could allow an intruder to perform RCE through a vulnerability in the Microsoft Windows library for systems running Windows Vista and Windows Server 2008. The attacker would first need to get behind a system's defenses to execute this attack.

Although Microsoft rated the updates for IE and Edge as critical, they would not receive the highest priority for the Windows Server operating system, Brown said.

"It's very unlikely that anyone is using Internet Explorer on a server," he said. "Usually, servers are running in the background and don't have an active user [on them]."

The remaining critical bulletins

MS16-026 addressed a vulnerability in Windows that could allow RCE if an attacker convinces a user to open a specially crafted document, or to visit a webpage that contains specially crafted, embedded OpenType fonts. The bulletin is rated critical for all supported editions of Windows.

MS16-027 addressed a vulnerability that could allow RCE if a user opens specially crafted media content that is hosted on a website. The update is rated critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

The final critical bulletin, MS16-028, addressed a vulnerability that could allow RCE if a user opens a specially crafted PDF file.

Windows 10 may influence Microsoft's patching routine

Altogether, the 13 bulletins released this month address 39 individual vulnerabilities. While the number of bulletins is one of the highest released in a single month, the amount of vulnerabilities resolved is significantly lower than previous months.

"Either [Microsoft] is doing a great job at actually repairing the issues, or they are rolling up the vulnerabilities in a very efficient way," Brown said. "They may be repairing multiple individual vulnerabilities inside a single update."

This could be because the company is following its approach to patching in Windows 10.

"The strategy in Windows 10 is instead of it containing multiple bulletins, it would just be one bulletin," Brown said. "So, you could say that either Microsoft [is] getting a lot better at identifying bugs and fixing them before they become actively exploitable, or they're trying to change the process to match that of Windows 10, which will be a single patch, but it will be more of an [operating system] update, rather than an individual bulletin to repair an individual vulnerability."

With the pending release of Windows Server 2016, Microsoft could take a similar approach to patching as it has with Windows 10, and release updates outside of Patch Tuesday, said Russ Ernst, director of product management with HEAT Software in Milpitas, Calif. 

"For Microsoft to have such an organized method to releasing their update, to go outside of that and follow this cumulative update approach is peculiar," Ernst said.

Patch management should not be a buffet

Security analysts recommended administrators install all patches -- and quickly -- whether they have affected applications or operating systems in their environment or not. The reason is, oftentimes, an attacker will perform a coordinated assault, and exploit multiple vulnerabilities across operating systems and applications. First, the intruder will find a loophole to get into a network, and then find another vulnerability to escalate privileges to steal data or cause damage.

"It's very important to have your machines, your applications, your operating systems fully patched for any security vulnerability," Ernst said. "A lot of attackers take a one-two-three-four approach. It's not about exploiting a single vulnerability any longer."

The other important March Patch Tuesday bulletins

Bulletin MS16-029 closed vulnerabilities in several versions of Microsoft Office, Microsoft Office Services and Web Apps. This security hole could allow an attacker to execute a RCE if a user opens a specially constructed Microsoft Office file. The level of rights given to the user will determine how much damage an attacker could perform.

MS16-030 addressed a weakness in Windows OLE (Object Linking and Embedding) on systems running Windows Vista, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Server Core. An attacker could perform an RCE to run malicious code in a system if a user interacts with a specially made program, webpage or email message.

In bulletin MS16-031, a vulnerability in all supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 could allow attackers to perform an elevation of privilege if they are able to log into a system and run a special application.

Bulletin MS16-032 addressed an issue with how the Windows Secondary Logon Service manages memory requests. This is a vulnerability that affects all supported editions of Windows. A hacker could get into a system through this security hole, then run code as an administrator to perform functions, such as installing programs, creating users with full user rights or deleting data.

In MS16-033, an attacker would need physical access inside an organization's data center to insert a USB device to perform an elevation of privilege to control a system. This vulnerability deals with how Windows USB Mass Storage Class driver fails to validate objects in memory. It affects all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

Bulletin MS16-034 centers on a vulnerability in all supported editions of Microsoft Windows that could allow an attacker to run code in kernel mode and give them access to data, install programs or create accounts with full rights.

The final important bulletin, MS16-035, closed a security hole with how the Microsoft .NET Framework validates XML documents. This patch deals with Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6 and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows.

More information about the March Patch Tuesday bulletins can be found at Microsoft's Security TechCenter site.

Next Steps

IE Flash vulnerabilities highlight February Patch Tuesday

Guiding the enterprise to Windows 10 migration

Warning: End of life is here for IE 8, 9 and 10

Dig Deeper on Windows administration tools