6. Industry News
DLL Hijacking vulnerability CVE-
2016-0603 resolved in Oracle
Java out of band release.
German security researcher has
identified many other products
that are susceptible.
Flash Player redistribution to
require EA with Adobe starting
March 1st, 2016 (was
February until recently)
7. CSWU-020: Cumulative Update for Windows 10: February 9, 2016
Maximum Severity: Critical
Affected Products: Windows 10, Edge, Internet Explorer
Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are
described in the following Microsoft security bulletins and advisory: MS16-009, MS16-011, MS16-012, MS16-013, MS16-014, MS16-016,
MS16-017, MS16-018, MS16-019, and MS16-022.
Impact: Remote Code Execution, Elevation of Privilege, Denial of Service
Fixes 26 vulnerabilities:
CVE-2016-0033, CVE-2016-0036, CVE-2016-0038, CVE-2016-0040 (Publicly Disclosed), CVE-2016-0041, CVE-2016-0042, CVE-
2016-0044, CVE-2016-0046, CVE-2016-0047, CVE-2016-0048, CVE-2016-0049, CVE-2016-0051, CVE-2016-0058, CVE-2016-
0059, CVE-2016-0060, CVE-2016-0061, CVE-2016-0062, CVE-2016-0063, CVE-2016-0064, CVE-2016-0067, CVE-2016-0068,
CVE-2016-0069, CVE-2016-0071, CVE-2016-0072, CVE-2016-0077, CVE-2016-0080, CVE-2016-0084
Restart Required: Requires Restart
8. MS16-009: Cumulative Security Update for Internet Explorer (3134220)
Maximum Severity: Critical
Affected Products: Internet Explorer
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow
remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this
vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker
who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.
Impact: Remote Code Execution
Fixes 13 vulnerabilities:
CVE-2016-0041, CVE-2016-0059, CVE-2016-0060, CVE-2016-0061, CVE-2016-0062, CVE-2016-0063, CVE-2016-0064, CVE-2016-
0067, CVE-2016-0068, CVE-2016-0069, CVE-2016-0071, CVE-2016-0072, CVE-2016-0077
Restart Required: Requires Restart
9. MS16-011: Cumulative Security Update for Microsoft Edge (3134225)
Maximum Severity: Critical
Affected Products: Edge
Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote
code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities
could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system
could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 6 vulnerabilities:
CVE-2016-0060, CVE-2016-0061, CVE-2016-0062, CVE-2016-0077, CVE-2016-0080, CVE-2016-0084
Restart Required: Requires Restart
10. MS16-012: Security Update for Microsoft Windows PDF Library to
Address Remote Code Execution (3138938)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow
remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could
allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited the vulnerabilities could gain the same
user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted
than those who operate with administrative user rights. However, an attacker would have no way to force users to download or open a
malicious PDF document.
Impact: Remote Code Execution
Fixes 2 vulnerabilities:
CVE-2016-0046, CVE-2016-0058
Restart Required: May Require Restart
11. MS16-013: Security Update for Windows Journal to Address Remote
Code Execution (3134811)
Maximum Severity: Critical
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0038
Restart Required: May Require Restart
12. MS16-014: Security Update for Microsoft Windows to Address Remote
Code Execution (3134228)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow
remote code execution if an attacker is able to log on to a target system and run a specially crafted application.
Impact: Remote Code Execution
Fixes 5 vulnerabilities:
CVE-2016-0040 (Publicly Disclosed), CVE-2016-0041, CVE-2016-0042, CVE-2016-0044, CVE-2016-0049
Restart Required: Requires Restart
13. MS16-015: Security Update for Microsoft Office to Address Remote
Code Execution (3134226)
Maximum Severity: Critical
Affected Products: Microsoft Office, Sharepoint
Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow
remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities
could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 7 vulnerabilities:
CVE-2016-0022, CVE-2016-0039 (Publicly Disclosed), CVE-2016-0052, CVE-2016-0053, CVE-2016-0054, CVE-2016-0055, CVE-
2016-0056
Restart Required: May Require Restart
14. MS16-022: Security Update for Adobe Flash Player (3135782)
Maximum Severity: Critical
Affected Products: Microsoft Windows, Adobe Flash Player
Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows
Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Impact: Remote Code Execution
Fixes 22 vulnerabilities:
Resolved by Adobe Flash Player update. See APSB16-004 bulletin for details.
Restart Required:
15. APSB16-04: Security updates available for Adobe Flash Player
Maximum Severity: Priority 1
Affected Products: Flash Player
Description: Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could
potentially allow an attacker to take control of the affected system.
Impact: Remote Code Execution
Fixes 22 vulnerabilities:
CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-
0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978,
CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985
Restart Required:
16. CHROME-160: Google Chrome 48.0.2564.109
Maximum Severity: High
Affected Products: Flash Player
Description: The stable channel has been updated to 48.0.2564.109 for Windows, Mac, and Linux.
Impact: Same-origin bypass, buffer overflow, out-of-bounds read
Fixes 6 vulnerabilities:
CVE-2016-1622, CVE-2016-1623, CVE-2016-1624, CVE-2016-1625, CVE-2016-1626, CVE-2016-1627,
Restart Required:
17. Java8u73: Critical Security Update for Java Runtime
Maximum Severity: Critical
Affected Products: Java SE
Description: This update release contains several enhancements and changes.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0603
Restart Required: May Require Restart (almost always)
18. MS16-016: Security Update for WebDAV to Address Elevation of
Privilege (3136041)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0051
Restart Required: Requires Restart
19. MS16-017: Security Update for Remote Desktop Display Driver to
Address Elevation of Privilege (3134700)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is
not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0036
Restart Required: Requires Restart
20. MS16-018: Security Update for Windows Kernel-Mode Drivers to Address
Elevation of Privilege (3136082)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an attacker logs on to an affected system and runs a specially crafted application.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0048
Restart Required: Requires Restart
21. MS16-019: Security Update for .NET Framework to Address Denial of
Service (3137893)
Maximum Severity: Important
Affected Products: Windows, .Net Framework
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an attacker logs on to an affected system and runs a specially crafted application.
Impact: Denial of Service
Fixes 1 vulnerabilities:
CVE-2016-0048
Restart Required: May Require Restart
22. MS16-020: Security Update for Active Directory Federation Services to
Address Denial of Service (3134222)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Active Directory Federation Services (ADFS). The vulnerability could
allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to
become nonresponsive.
Impact: Denial of Service
Fixes 1 vulnerabilities:
CVE-2016-0037
Restart Required: May Require Restart
23. MS16-021: Security Update for NPS RADIUS Server to Address Denial of
Service (3133043)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a
Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS
authentication on the NPS.
Impact: Denial of Service
Fixes 1 vulnerabilities:
CVE-2016-0050
Restart Required: May Require Restart
24.
25. Resources and Webinars
Get Shavlik Content Updates
Get Social with Shavlik
Sign up for next months
Patch Tuesday Webinar
Watch previous webinars
and download presentation.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Many of the vulnerabilities target a user to exploit.
https://support.microsoft.com/en-us/kb/3134814
Includes 7 non-security fixes as well.
Most of the vulnerabilities are exploiting objects in memory.
An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
4 of 6 were common across IE and Edge. Those 4 were all memory corruption vulnerabilities like in IE.
Many of the vulnerabilities target a user to exploit.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Discrepancy: Calls out Server Core, but update would not install on core. WSUS also does not offer for Core. Either they will push a re-release or pull the doc discrepancy. This is PDF related so would Core really be affected?
Vulnerabilities target a user to exploit.
For an attack to succeed, a user must open a specially crafted Windows Reader file with an affected version of Windows Reader. In an email attack scenario, an attacker would have to convince the user to open a specially crafted Windows Reader file. The update addresses the vulnerability by modifying how Windows Reader parses files.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
For an attack to be successful, this vulnerability requires that a user open a specially crafted Journal file with an affected version of Windows Journal. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Journal file to the user and then convincing the user to open the file.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Publicly disclosed CVE-2016-0040
Known issue # 1 https://support.microsoft.com/en-us/kb/3126593 (KB3126587)
Customers using Corel VideoStudio X8 or Corel VideoStudio X9 on Windows 7 may experience a crash while launching or using that product. Customers should install the latest updates from Corel to prevent this issue, or contact Corel for more information and help. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Known issue # 1 https://support.microsoft.com/en-us/kb/3126593 (KB3126593)
After you install this security update, the behavior of searching for DLLs to load in certain scenarios (specifically, when loading implicit dependencies of COM server DLLs) will be changed from the previous behavior in the following way: Unless a prefix of the current directory’s full path is in the Safe Load List, the current directory will be skipped during the search (notice that previously, the current directory was used to search for the DLL). This new behavior may affect some legacy application behavior, and when the DLL loader notices this possible change in behavior, a warning or error message that resembles one of the following may be displayed in the Application log that is available in Event Viewer:The following warning message indicates the dependency file was not loaded from the current working directory (CWD) because of it not being trusted, but was found in another location:Loading dependency %2 from the current directory was not allowed when attempted by %1. Another DLL was found: %3.
The following error message indicates the DLL was not loaded from the current working directory (CWD) because of it not being trusted, and was not found at all.Loading dependency %2 from the current directory was not allowed when attempted by %1. No other DLL was found and the dependency resolution failed.
In both cases, %1 is the full path to the application process’s executable (.exe) file, and %2 is the full path if the DLL is found in the CWD. If the application requires the old dependency loading behavior for its correct operation for a specific directory, you can achieve this scenario by adding this directory or its trusted ancestor to the Safe Load List. To do this, follow these steps:Make sure that your trusted location, together with all its descendant tree, is protected properly from unauthorized modifications by NTFS permissions.
Add a string value to the following subkey in the registry in which the data is the full path to that trusted location:HKLM\System\CurrentControlSet\Control\Session Manager\Safe Load Prefixes
After you make these changes, as long as the CWD is under that location, the DLLs in that CWD will be trusted and loaded as before. Known issue # 2
Customers using Corel VideoStudio X8 or Corel VideoStudio X9 on Windows 7 may experience a crash while launching or using that product. Customers should install the latest updates from Corel to prevent this issue, or contact Corel for more information and help. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
MS updated an older Security Advisory relating to RDP from last nights release. https://technet.microsoft.com/en-us/library/security/2871997 there was also a hidden KB that is not in the bulletin, but was available to deploy.
CVE-2016-0039 (Publicly Disclosed)
Microsoft SharePoint XSS Vulnerability – CVE-2016-0039
An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim.
The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.
I have Microsoft Word 2010 installed. Why am I not being offered the 3114752 update? The 3114752 update only applies to systems running specific configurations of Microsoft Office 2010. Some configurations will not be offered the update.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
To fully update Flash Player you must apply the IE Security Advisory, Google Chrome update, Mozilla Firefox and the Flash Player install.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Also includes support for updated Flash and the 22 fixes for Adobe Flash Plug-In.
To fully update Flash Player you must apply the IE Security Advisory, Google Chrome update, Mozilla Firefox and the Flash Player install.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
http://www.oracle.com/technetwork/java/javase/8u73-relnotes-2874654.html
Oracle recommends removing all older install media from your network.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
WebDAV Elevation of Privilege Vulnerability - CVE-2016-0051
An elevation of privilege vulnerability exists in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client when WebDAV improperly validates input. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions.
To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Workstations and servers are primarily vulnerable to this attack. The update addresses the vulnerability by correcting how WebDAV validates input.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Known issues in security update 3126446 https://support.microsoft.com/en-us/kb/3134700
You may have to restart the computer multiple times after you install this security update on a Windows 7-based computer that is running RDP 8.0.
Remote Desktop Protocol (RDP) Elevation of Privilege Vulnerability - CVE-2016-0036
An elevation of privilege vulnerability exists in Remote Desktop Protocol (RDP) when an attacker logs on to the target system using RDP and sends specially crafted data over the authenticated connection. An attacker who successfully exploited this vulnerability could execute code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the target system by using the Remote Desktop Protocol (RDP). An attacker could then run a specially crafted application that is designed to create the crash condition that leads to elevated privileges. The update addresses the vulnerability by correcting how RDP handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Kernel-Mode Driver update. Test well.
Win32k Elevation of Privilege Vulnerability - CVE-2016-0048
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
4.5.2 is only supported version of 4.5.
https://support.microsoft.com/en-us/gp/framework_faq/en-us
1. What is the Microsoft Support Lifecycle policy for .NET Framework? (reading between the lines, pretty much like IE. If it is OS level it is supported until EOL of OS, but as separate product install you should upgrade)In March 2010, Microsoft announced that beginning with .NET Framework 3.5 Service Pack 1 (SP1), the .NET Framework is defined as a component instead of an independent product. As a component, .NET Framework version 3.5 Service Pack 1 (SP1) or later assumes the same Support Lifecycle policy as its underlying Windows operating system. On August 7, 2014, Microsoft announced that support will end for .NET Framework 4, 4.5, and 4.5.1 on January 12, 2016. Customers and developers need to have completed the in-place update to .NET Framework 4.5.2 by January 12, 2016 to continue receiving technical support and security updates. Support for .NET Framework 4.5.2, as well as all other .NET Framework versions such as 3.5 SP1, will continue to be supported for the duration of the operating system support lifecycle. Additional information on the history of .NET Framework support lifecycle is available below.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Microsoft Active Directory Federation Services Denial of Service Vulnerability - CVE- 2016-0037
A denial of service vulnerability exists when Active Directory Federation Services (ADFS) attempts to process certain input during forms-based authentication. An attacker who successfully exploits this vulnerability by sending certain input during forms-based authentication could cause the server to become nonresponsive.
The update addresses the vulnerability by adding additional checks on input data during forms-based authentication.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Has a Core patch, but also failed to install. We will be watching for a rerelease on this one.
Network Policy Server RADIUS Implementation Denial of Service Vulnerability – CVE-2016-0050
A denial of service vulnerability exists when a Network Policy Server (NPS) improperly handles a Remote Authentication Dial-In User Service (RADIUS) authentication request. An unauthenticated attacker who successfully exploited this vulnerability could send specially crafted username strings to a Network Policy Server (NPS) causing a denial of service condition for RADIUS authentication on the NPS.
Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights. To exploit the vulnerability, an attacker would need to have network access to the affected NPS and then create an application to send specially crafted RADIUS authentication requests to the NPS.
The security update addresses the vulnerability by changing how the NPS parses username queries when implementing RADIUS.
Sign up for Content Announcements:
Email http://www.shavlik.com/support/xmlsubscribe/
RSS http://protect7.shavlik.com/feed/
Twitter @ShavlikXML
Follow us on:
Shavlik on LinkedIn
Twitter @ShavlikProtect
Shavlik blog -> www.shavlik.com/blog
Chris Goettl on LinkedIn
Twitter @ChrisGoettl
Sign up for webinars or download presentations and watch playbacks:
http://www.shavlik.com/webinars/