icetray - Fotolia

Adobe zero-day update gets top billing in April Patch Tuesday

An Adobe zero-day update received top billing as Microsoft released its April Patch Tuesday fixes.

Microsoft issued 13 bulletins for April Patch Tuesday, including a zero-day update for Adobe Flash Player and cumulative security updates for IE and Edge.

There were also seven important bulletins, bringing the total for 2016 up to 50.

"Every one of the 13 bulletins requires reboot, which spells massive headache for admins because you're not secured until the reboot," said Robert Brown, director of services at Verismic Software Inc., in Aliso Viejo, Calif. "Until the reboot, you can still be exploited and susceptible."

This month's batch of patches addresses 173 individual vulnerabilities, more than four times as many flaws that were addressed in last month's Patch Tuesday. There are 29 common vulnerability and exposures, Brown said, which is a dictionary of identifiers for publicly known information security vulnerabilities, but since some cover more than one operating system, they are counted as individuals.

Adobe, Graphics Component updates receives top priority

Security analysts gave MS16-050 the top priority this month. The bulletin resolves a number of vulnerabilities in Adobe Flash Player. Adobe released its own update, APSB16-10, last week, and said it is aware of reports that one of the vulnerabilities is being actively exploited on machines running Windows 10 and earlier with Flash Player version and earlier. Microsoft also released its own zero-day patch for a vulnerability in Windows that allows for privilege elevation.

"Those two vulnerabilities, being able to get into systems through Flash and then being able to escalate to administrator roles using one of the Windows vulnerabilities, that's kind of the one-two punch that an attacker has to have to fully control a system and do whatever he or she wants with it," said Wolfgang Kandek, CTO at security vendor Qualys Inc., in Redwood City, Calif.  

The Adobe vulnerability is crucial to patch, analysts said.

"This is the most important update of the year," Brown said. "The bug can exploit the browser's Flash plug-in, but what makes this so serious is that you don't need to do anything other than access a webpage. If you simply access a webpage, you're infected."

Kandek gave the second highest priority to MS16-039, which resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe vulnerability could allow remote code execution (RCE) if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts, but the bulletin also fixes elevation of privilege vulnerabilities that are already being exploited in the wild.

Cumulative security updates for IE, Edge

Internet Explorer (IE) and Microsoft Edge received critical cumulative security updates that addressed RCE vulnerabilities. MS16-037 resolves six vulnerabilities in IE and is rated critical for IE9 and IE11. This is the second update for IE9 since it was decommissioned in January.

MS16-038 also resolves six vulnerabilities in Edge, which is the first time the new browser has had the same number of vulnerabilities as IE. However, all of the Edge vulnerabilities are rated critical, compared to a mix of critical, important and moderate vulnerabilities for IE.

"I see that as a sign that the security research people are giving it more attention than IE," Kandek said.

Remaining critical updates

MS16-042 resolves four vulnerabilities in Microsoft Office, the most severe of which could allow RCE if a user opens a specially crafted Office file. Users with administrative rights are more at risk, and an attacker who gains control of the system could install programs; view, change or delete data; or create new accounts with full user rights.

The Office update is an RTF vulnerability that doesn't require much interaction.

"You can configure Outlook to use Word to show you RTF files automatically," Kandek said. "If you have that configuration running, I could send you an email and you wouldn't even have to open it. You would be automatically infected with Outlook going over that particular email in the preview pane."  Amol Sarwate, director of vulnerability labs at Qualys, recommends turning off the RTF capability to avoid the vulnerability. There is a registry setting called Office File Block that turns off the handling of RTF files by Word.  

MS16-040 resolves an RCE vulnerability in XML Core Services that occurs if a user clicks a specially crafted link to allow an attacker to run malicious code and gain control of the user's system.

"The problem is XML is a complicated file format where you can do lots of things," Kandek said.

Two years ago, there were a number of vulnerabilities being addressed in XML because researchers were focusing on it, but this is the first update for XML in about a year.

Microsoft locks down Badlock

MS16-047 resolves a vulnerability called Badlock that could allow elevation of privilege if an attacker launches a man-in-the-middle attack and logs in as another user for applications that use the SAMR or LSAD protocols. Engineers at Microsoft and Samba, an open source suite, have worked together to resolve the vulnerability. The bug affects all Windows systems.

"It's not a vulnerability, it's a man-in-the-middle attack which implies that the attacker has to be somewhere on the same network on the client end of the server," Sarwate said. "But it can be used in conjunction with other vulnerabilities, and it's not a Windows-only flaw. Most operating systems use this SAMR protocol."

Out of the important bulletins, MS16-045 ranks high for organizations running workloads on Hyper-V. This security update shuts down an RCE vulnerability that could let an attacker run a specially constructed application on a guest operating system to execute arbitrary code on the Hyper-V host.  Systems running Windows 8.1, Windows 10, Windows Server 2012 and Windows 2012 R2 are vulnerable. The Server Core installations of Windows Server 2012 and Windows 2012 R2 are also susceptible.

"This [exploit] is kind of the holy grail of virtualization vulnerability, where I could run something in my guest operating system and break out of it and get to the managing hypervisor," Kandek said. The bulletin was ranked important because someone would already need to have internal access to do any damage, but a company such as a service provider where a lot of staff would have access to the infrastructure would rate this bulletin more highly due to the amount of exposure to the system, Kandek said.

The MS16-041 security update prevents a RCE exploit in the 4.6 and 4.6.1 Microsoft .NET Framework that could allow an intruder to take control of a vulnerable system and perform various attacks, such as deleting data. This bulletin affects systems running Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 7 and the Server Core installation of Windows Server 2008 R2.

The MS16-044 bulletin closes a vulnerability in Windows Object Linking and Embedding technology in all supported versions of the Windows operating system, except for Windows 10. This attack requires a user to interact with either a specially craft application from an email message or a website. Once executed, the hacker could perform an RCE attack.

The remaining important updates in this month's Patch Tuesday include:

  • MS16-046 closes a Secondary Logon Service vulnerability in supported versions of Windows 10 that could allow a privilege escalation attack.
  • The patch for MS16-048 closes a memory vulnerability in the Client-Server Runtime Subsystem that would let an attacker run code as an administrator. This bulletin affects systems on Windows 8.1, Windows Server 2012 and 2012 R2, Windows RT 8.1, Windows 10, and Server Core installs of Windows Server 2012 and 2012 R2.
  • MS16-049 closes a denial-of-service vulnerability in the HTTP 2.0 protocol stack in Windows 10 systems.

More information about the April Patch Tuesday bulletins can be found at Microsoft's Security TechCenter site.

Next Steps

Microsoft extends support in IE9 in March Patch Tuesday

Microsoft elevates Adobe Flash fixes in February Patch Tuesday

January Patch Tuesday marks end of support for IE browsers

Dig Deeper on Windows client management