May 2016 Shavlik Patch Tuesday Presentation
•Descargar como PPTX, PDF•
1 recomendación•253 vistas
See full blog post here: http://blog.shavlik.com/may-patch-tuesday-2016/ May’s Patch Tuesday has a few juicy surprises for us. On the Microsoft side, there is one vulnerability being exploited in the wild that affects both Internet Explorer (MS16-051) and Windows (MS16-053). Additionally, two public disclosures will raise concerns with Internet Explorer (MS16-051) and .Net Framework (MS16-065). We also have a Zero Day in Flash Player from Adobe that has caused some confusion considering Adobe just published an Advisory page (APSA16-02) stating the update resolves CVE-2016-4117, which was reported to Adobe by a researcher at FireEye, a security firm. We are also seeing Microsoft publish MS16-064, a bulletin to update Adobe Flash Player plug-in support for Windows and Internet Explorer; which has details of APSB16-15, including 24 CVEs that will be included in the update. So, the question is, why did Adobe not release the update? Will Microsoft end up pulling the bundled version in MS16-064 when the Adobe bulletin releases next week?
Recomendados
Más contenido relacionado
Destacado
Destacado (16)
Más de LANDESK
Último
Último (20)
May 2016 Shavlik Patch Tuesday Presentation
- 1. Patch Tuesday Webinar Wednesday, May 11th, 2016 Chris Goettl • Sr. Product Manager Dial In: 1-855-749-4750 (US) Attendees: 928 200 786
- 2. Agenda May 2016 Patch Tuesday Overview Known Issues Bulletins Q & A 1 2 3 4
- 3. Best Practices Privilege Management Mitigates Impact High Threat Level vulnerabilities warrant fast rollout. 2 weeks or less is ideal to reduce exposure. User Targeted – Whitelisting and Containerization mitigate
- 7. News – Adobe Zero Day update releasing tomorrow (MOST LIKELY) Expect a Chrome update Expect another Microsoft Security Bulletin FireFox will have a variation to be updated as well QuickTime EOL for Windows Apple says remove it! Shavlik released QuickTime Removal Tool Windows 10 Pro GPO control of App Store not supported AppSense Application Manager can still support this!
- 8. CSWU-024: Cumulative update for Windows 10: May 10, 2016 Maximum Severity: Critical Affected Products: Windows 10, Edge, Internet Explorer, .Net Framework Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are described in the following Microsoft security bulletins and advisory: MS16-051, MS16-052, MS16-055, MS16-056, MS16-057, MS16-060, MS16-061, MS16-062, MS16-064, MS16-065, MS16-066 Impact: Remote Code Execution, Elevation of Privilege, Security Feature Bypass Fixes 25 vulnerabilities: CVE-2016-0149, CVE-2016-0168, CVE-2016-0169, CVE-2016-0170, CVE-2016-0171, CVE-2016-0173, CVE-2016-0174, CVE-2016- 0175, CVE-2016-0176, CVE-2016-0178, CVE-2016-0179, CVE-2016-0180, CVE-2016-0181, CVE-2016-0182, CVE-2016-0184, CVE-2016-0186, CVE-2016-0187, CVE-2016-0188, CVE-2016-0189 (Exploited), CVE-2016-0191, CVE-2016-0192, CVE-2016- 0193, CVE-2016-0194, CVE-2016-0195, CVE-2016-0196, CVE-2016-0197 Restart Required: Requires Restart
- 9. MS16-051: Cumulative Security Update for Internet Explorer (3155533) Maximum Severity: Critical Affected Products: Internet Explorer Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Impact: Remote Code Execution Fixes 5 vulnerabilities: CVE-2016-0187, CVE-2016-0188 (Publicly Disclosed), CVE-2016-0189 (Exploited), CVE-2016-0192, CVE-2016-0194 Restart Required: Requires Restart
- 10. MS16-052: Cumulative Security Update for Microsoft Edge (3155538) Maximum Severity: Critical Affected Products: Edge Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights. Impact: Remote Code Execution Fixes 4 vulnerabilities: CVE-2016-0186, CVE-2016-0191, CVE-2016-0192, CVE-2016-0193 Restart Required: Requires Restart
- 11. MS16-053: Cumulative Security Update for JScript and VBScript (3156764) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Impact: Remote Code Execution Fixes 2 vulnerabilities: CVE-2016-0187, CVE-2016-0189 (Exploited) Restart Required: May Require Restart
- 12. MS16-054: Security Update for Microsoft Office (3155544) Maximum Severity: Critical Affected Products: Office, SharePoint Description: This security update resolves vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 4 vulnerabilities: CVE-2016-0126, CVE-2016-0140, CVE-2016-0183, CVE-2016-0198 Restart Required: May Require Restart
- 13. MS16-055: Security Update for Microsoft Graphics Component (3156754) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a specially crafted website. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact: Remote Code Execution Fixes 5 vulnerabilities: CVE-2016-0168, CVE-2016-0169, CVE-2016-0170, CVE-2016-0184, CVE-2016-0195 Restart Required: Requires Restart
- 14. MS16-056: Security Update for Windows Journal (3156761) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-0182 Restart Required: May Require Restart
- 15. MS16-057: Security Update for Windows Shell (3156987) Maximum Severity: Critical Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website that accepts user-provided online content, or convinces a user to open specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-0179 Restart Required: Requires Restart
- 16. MS16-064: Security Update for Adobe Flash Player (3157993) Maximum Severity: Critical Affected Products: Adobe Flash Player, Windows Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Impact: Remote Code Execution Fixes 24 vulnerabilities: CVE-2016-1096, CVE-2016-1097 CVE-2016-1098 CVE-2016-1099 CVE-2016-1100 CVE-2016-1101 CVE-2016-1102 CVE-2016- 1103 CVE-2016-1104 CVE-2016-1105 CVE-2016-1106 CVE-2016-1107 CVE-2016-1108 CVE-2016-1109 CVE-2016-1110 CVE- 2016-4108 CVE-2016-4109 CVE-2016-4110 CVE-2016-4111 CVE-2016-4112 CVE-2016-4113 CVE-2016-4114 CVE-2016-4115, CVE-2016-4116 Restart Required: Requires Restart
- 17. MS16-065: Security Update for .NET Framework (3156757) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-0149 (Publicly Disclosed) Restart Required: May Require Restart
- 18. APSA16-02 + APSB16-015: Security Advisory for Adobe Flash Player Maximum Severity: Critical Affected Products: Adobe Flash Player Description: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. • Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. Please refer to APSA16-01 for details . Impact: Remote Code Execution Fixes 25 vulnerabilities: CVE-2016-1096, CVE-2016-1097 CVE-2016-1098 CVE-2016-1099 CVE-2016-1100 CVE-2016-1101 CVE-2016-1102 CVE-2016- 1103 CVE-2016-1104 CVE-2016-1105 CVE-2016-1106 CVE-2016-1107 CVE-2016-1108 CVE-2016-1109 CVE-2016-1110 CVE- 2016-4108 CVE-2016-4109 CVE-2016-4110 CVE-2016-4111 CVE-2016-4112 CVE-2016-4113 CVE-2016-4114 CVE-2016-4115, CVE-2016-4116, CVE-2016-4117 (Exploited) Restart Required: Requires Restart
- 19. APSB16-14: Security Updates Available for Adobe Acrobat and Reader Maximum Severity: Important Affected Products: Adobe Acrobat and Reader Description: Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Impact: Remote Code Execution Fixes 82 vulnerabilities: CVE-2016-1037, CVE-2016-1038, CVE-2016-1039, CVE-2016-1040, CVE-2016-1041, CVE-2016-1042, CVE-2016-1043, CVE-2016- 1044, CVE-2016-1045, CVE-2016-1046, CVE-2016-1047, CVE-2016-1048, CVE-2016-1049, CVE-2016-1050, CVE-2016-1051, CVE-2016-1052, CVE-2016-1053, CVE-2016-1054, CVE-2016-1055, CVE-2016-1056, CVE-2016-1057, CVE-2016-1058, CVE-2016- 1059, CVE-2016-1060, CVE-2016-1061, CVE-2016-1062, CVE-2016-1063, CVE-2016-1064, CVE-2016-1065, CVE-2016-1066, CVE-2016-1067, CVE-2016-1068, CVE-2016-1069, CVE-2016-1070, CVE-2016-1071, CVE-2016-1072, CVE-2016-1073, CVE-2016- 1074, CVE-2016-1075, CVE-2016-1076, CVE-2016-1077, CVE-2016-1078, CVE-2016-1079, CVE-2016-1080, CVE-2016-1081, CVE-2016-1082, CVE-2016-1083, CVE-2016-1084, CVE-2016-1085, CVE-2016-1086, CVE-2016-1087, CVE-2016-1088, CVE-2016- 1090, CVE-2016-1092, CVE-2016-1093, CVE-2016-1094, CVE-2016-1095, CVE-2016-1112, CVE-2016-1116, CVE-2016-1117, CVE-2016-1118, CVE-2016-1119, CVE-2016-1120, CVE-2016-1121, CVE-2016-1122, CVE-2016-1123, CVE-2016-1124, CVE-2016- 1125, CVE-2016-1126, CVE-2016-1127, CVE-2016-1128, CVE-2016-1129, CVE-2016-1130, CVE-2016-4088, CVE-2016-4089, CVE-2016-4090, CVE-2016-4091, CVE-2016-4092, CVE-2016-4093, CVE-2016-4094, CVE-2016-4096, CVE-2016-4097, CVE-2016- 4098, CVE-2016-4099, CVE-2016-4100, CVE-2016-4101, CVE-2016-4102, CVE-2016-4103, CVE-2016-4104, CVE-2016-4105, CVE-2016-4106, CVE-2016-4107 Restart Required:
- 20. MS16-058: Security Update for Windows IIS (3141083) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-0152 Restart Required: Requires Restart
- 21. MS16-059: Security Update for Windows Media Center (3150220) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 1 vulnerabilities: CVE-2016-0185 Restart Required: May Require Restart
- 22. MS16-060: Security Update for Windows Kernel (3154846) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. Impact: Elevation of Privilege Fixes 1 vulnerabilities: CVE-2016-0180 Restart Required: Requires Restart
- 23. MS16-061: Security Update for Microsoft RPC (3155520) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call (RPC) requests to an affected host. Impact: Elevation of Privilege Fixes 1 vulnerabilities: CVE-2016-0178 Restart Required: Requires Restart
- 24. MS16-062: Security Update for Windows Kernel-Mode Drivers (3158222) Maximum Severity: Important Affected Products: Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. Impact: Elevation of Privilege Fixes 7 vulnerabilities: CVE-2016-0171, CVE-2016-0173, CVE-2016-0174, CVE-2016-0175, CVE-2016-0176, CVE-2016-0196, CVE-2016-0197 Restart Required: Requires Restart
- 25. MS16-066: Security Update for Virtual Secure Mode (3155451) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker runs a specially crafted application to bypass code integrity protections in Windows. Impact: Security Feature Bypass Fixes 1 vulnerabilities: CVE-2016-0181 Restart Required: Requires Restart
- 26. MS16-067: Security Update for Volume Manager Driver (3155784) Maximum Severity: Important Affected Products: Windows Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure if a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user. Impact: Information Disclosure Fixes 1 vulnerabilities: CVE-2016-0190 Restart Required: May Require Restart
- 27. Between Patch Tuesdays New Product Support: Adobe Flash Pepper Plugin and Debugger, CoreFTP 2 x64, Foxit PhantomPDF 7, AutoCAD 2016 and 2017, Nitro Pro 10 Security Updates: Chrome (2), FireFox (3), Thunderbird, Flash Pepper Plugin, Skype (2), Apache Tomcat, Flash Player (2), Java, WireShark, FileZilla (2), TortoiseSVN Non-Security Updates: Microsoft (70+), Dropbox, GoToMeeting, CoreFTP, BoxSync, LibreOffice, Google Drive, GoodSync (2), CCleaner, HipChat, PDFXchange, TeamViewer, Citrix XenApp, KeePass, AutoCAD, Citrix Receiver, Nitro Pro Security Tools: QuickTime removal tool
- 29. • Why should you attend? • Great Value: • Two days of hands on and deep dive product sessions for less than one day of consulting services • Interaction with Shavlik Product Managers and Systems Engineers • Tech-Summit Pass $995 • And, of course, because its Vegas baby! • For details see: • http://www.shavlik.com/tech-summit/
- 30. Resources and Webinars Get Shavlik Content Updates Get Social with Shavlik Sign up for next months Patch Tuesday Webinar Watch previous webinars and download presentation.
- 31. Thank you
Notas del editor
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. Ensure that your Internet Explorer version is at the latest for the OS you are installed on. Microsoft is only updating the latest version for each supported OS since January 2016. For details please see: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer User Targeted - Privilege Management Mitigates Impact CVE-2016-0189 (Exploited) – Scripting Engine Memory Corruption Multiple remote code execution vulnerabilities exist in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory. CVE-2016-0188 (Publicly Disclosed) – Security Feature Bypass A security feature bypass vulnerability for Internet Explorer exists in the User Mode Code Integrity (UMCI) component of Device Guard, when it improperly validates code integrity. An attacker who successfully exploited this vulnerability could execute unsigned code that would normally be blocked by UMCI. To exploit the vulnerability, an attacker could run unsigned malicious code as though it were signed by a trusted source. The updates address the vulnerability by correcting how Internet Explorer validates code integrity.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User targeted vulnerabilities – Privilege Management Mitigates Impact Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the Chakra JavaScript scripting engine handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact CVE-2016-0189 (Exploited) - Multiple Scripting Engine Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in the way that the JScript and VBScript engines render when handling objects in memory in Internet Explorer. The vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. The update addresses the vulnerabilities by modifying how the JScript and VBScript scripting engines handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. The security update addresses the vulnerabilities by correcting how Office handles objects in memory. Microsoft Office Graphics RCE Vulnerability - CVE-2016-0183 A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit this vulnerability. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability, and then convince a user to view the website. An attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by getting the user to click a link in an email or in an Instant Messenger message that takes the user to the attacker's website, or by opening an attachment sent through email. In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince a user to open the document file. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0183. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Multiple Windows Graphics Component Information Disclosure Vulnerabilities Information disclosure vulnerabilities exist when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerabilities could obtain information to further compromise the user’s system. There are multiple ways an attacker could exploit the vulnerabilities, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The update addresses the vulnerabilities by correcting how the Windows GDI component handle objects in memory. CVE-2016-0170, CVE-2016-0195, CVE-2016-0184 There are multiple ways an attacker could exploit the vulnerability: In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email. In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability, and then convince a user to open the document file. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in the memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Windows Journal Memory Corruption Vulnerability- CVE-2016-0182 A remote code execution vulnerability exists in Microsoft Windows when a specially crafted Journal file is opened in Windows Journal. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For an attack to be successful, this vulnerability requires that a user open a specially crafted Journal file with an affected version of Windows Journal. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Journal file to the user, and then convincing the user to open the file. The update addresses the vulnerability by modifying how Windows Journal parses Journal files.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted - Privilege Management Mitigates Impact Windows Shell Remote Code Execution Vulnerability – CVE-2016-0179 A remote code execution vulnerability exists when Windows Shell improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or Instant Messenger message that takes them to the attacker's site. The security update fixes this vulnerability by correcting how Windows Shell handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome. A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. CVE-2016-0149 (Publicly Disclosed) TLS/SSL Information Disclosure Vulnerability - CVE-2016-0149 An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets. Important Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments. In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464 https://support.microsoft.com/kb/3155464.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome. A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release. User Targeted
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Privilege Management Mitigates Impact Windows DLL Loading Remote Code Execution Vulnerability - CVE-2016-0152 A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker must first gain access to the local system and have the ability to execute a malicious application. The security update addresses the vulnerability by correcting how Windows validates input when loading certain libraries.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. User Targeted - Privilege Management Mitigates Impact Windows Media Center Remote Code Execution Vulnerability - CVE-2016-0185 A vulnerability exists in Windows Media Center that could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could take control of an affected system. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Workstations are primarily at risk of this vulnerability. To exploit the vulnerability, user interaction is required. In a web-browsing scenario, a user would have to navigate to a compromised website that an attacker is using to host a malicious .mcl file. In an email attack scenario, an attacker would have to convince a user who is logged on to a vulnerable workstation to click a specially crafted link in an email. The security update addresses the vulnerability by correcting how Windows Media Center handles certain resources in the .mcl file.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Windows Kernel Elevation of Privilege Vulnerability - CVE-2016-0180 An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel parses symbolic links.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. RPC Network Data Representation Engine Elevation of Privilege Vulnerability - CVE-2016-0178 An elevation of privilege vulnerability exists in the way that Microsoft Windows handles specially crafted Remote Procedure Call (RPC) requests. A privilege elevation can occur when the RPC Network Data Representation (NDR) Engine improperly frees memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An unauthenticated attacker could exploit the vulnerability by making malformed RPC requests to an affected host. The update addresses this vulnerability by modifying the way that Microsoft Windows handles RPC messages.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerabilities, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control over an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory. Win32k Information Disclosure Vulnerability - CVE-2016-0175 A security feature bypass vulnerability exists in Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. An attacker who successfully exploited this vulnerability could retrieve the memory address of a kernel object. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows kernel handles memory addresses. Microsoft DirectX Graphics Kernel Subsystem Elevation of Privilege Vulnerability – CVE-2016-0176 An elevation of privilege vulnerability exists when the DirectX Graphics kernel subsystem (dxgkrnl.sys) improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context. The update addresses the vulnerability by correcting the way in which the Microsoft DirectX graphics kernel subsystem handles objects in memory.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Windows 10 only, will show up in Protect scans as CSWU-024 on windows 10 systems. Hypervisor Code Integrity Security Feature Bypass – CVE-2016-0181 A security feature bypass vulnerability exists when Windows incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with Hypervisor Code Integrity (HVCI) enabled. To exploit this vulnerability, an attacker could run a specially crafted application to bypass code integrity protections in Windows. The security update addresses the vulnerability by correcting security feature behavior to preclude the incorrect marking of RWX pages under HVCI.
- Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks. Remote Desktop Protocol Drive Redirection Information Disclosure Vulnerability - CVE-2016-0190 An information disclosure vulnerability exists in Microsoft Windows when a USB disk mounted over Remote Desktop Protocol (RDP) via Microsoft RemoteFX is not correctly tied to the session of the mounting user. An attacker who successfully exploited this vulnerability could obtain access to file and directory information on the mounting user’s USB disk. This update addresses the vulnerability by ensuring that access to USB disks over RDP is correctly enforced to prevent non-mounting session access.
- Use registration code “Int2016Shavlik”
- Sign up for Content Announcements: Email http://www.shavlik.com/support/xmlsubscribe/ RSS http://protect7.shavlik.com/feed/ Twitter @ShavlikXML Follow us on: Shavlik on LinkedIn Twitter @ShavlikProtect Shavlik blog -> www.shavlik.com/blog Chris Goettl on LinkedIn Twitter @ChrisGoettl Sign up for webinars or download presentations and watch playbacks: http://www.shavlik.com/webinars/