Microsoft has started the year with a truly unusual Patch Tuesday. There are nine updates for January, with six rated as critical and the remaining three rated as important (the reverse of the usual distribution in terms of severity). January has a couple of additional surprises. First, it looks like MS16-009 did not make this Patch Tuesday release at all and may only surface later this month. Secondly, we see what has been rated as an important update with MS16-008 may contain the most severe vulnerability and the most risky patch contents.
Thanks to Shavlik this month for their very helpful summary infographic detailing this January Patch Tuesday.
MS16-001 — Critical
The first update rated as critical for the year 2016 is MS16-001, an update for Microsoft Internet Explorer that attempts to resolve two reported vulnerabilities, that at worst could lead to a remote code execution scenario. This update affects all supported versions of Windows and will require a system restart due to the complete re-release of all IE related executables and supporting libraries. Microsoft has offered some advice on how to mitigate the risk of this particular vulnerability. However, this advice requires changing the ownership (and subsequent security settings) of one of IE’s core system libraries (VBScript.dll) which in practice is usually difficult to do and almost impossible to manage in an enterprise scenario. This is a "Patch Now” Microsoft update.
MS16-002 — Critical
The next critical update for this January Patch Tuesday is MS16-002 which attempts to resolve two reported vulnerabilities in Microsoft’s latest browser -- Edge. This update to Edge is intimately related to this month’s IE update MS16-001 as it also deals with a VBScript and JScript memory corruption issue in the Chakra JavaScript engine, which could lead to a remote code execution scenario. Both of these browser patches have a high exploitation rating and should be a priority in your patch cycle.
MS16-003 — Critical
MS16-003 addresses a single reported vulnerability in the Windows VBScript and JScript scripting engine that could lead to a remote code execution scenario. We have seen a number of IE and Edge updates over the past few months that have been paired with memory corruption issues in either the VBScript or JScript Windows components. MS16-003 is a good example of that linked security issue in a core Windows component that affects both of Microsoft’s browsers. This update affects all versions of Windows desktop and server platforms, including the minimalist Windows Server Core platform and should be included in your priority patch cycle.
MS16-004 — Critical
MS16–004 delivers a critical update to Microsoft Office that attempts to resolve five reported memory corruption and security feature bypass vulnerabilities that could lead to a remote code execution situation. This exploit requires a user to open a specially crafted Office file and could allow an attacker to run code in the security context of the logged in user. This update affects all supported versions of Microsoft Office, including all Mac versions. Add this update to your standard patch deployment program.
MS16-005 — Critical
The next update rated as critical for this January Patch Tuesday is MS16-005, which attempts to address two reported vulnerabilities in two core Windows drivers (GDI and Win32) that could lead to a remote code execution scenario. This patch affects all versions of Windows, including the latest version of Windows 10, Build 1511. The exploitation index for these two security issues may be moderate, but the risk of updating two core system level drivers is high. We have seen numerous examples (you can read about December’s update here ) which required a re-release of a monthly patch due to driver stability issues (see MS15-128). I suggest waiting a little while for this update to settle before deploying to your production systems.
MS16-006 — Critical
MS16-006 attempts to address a single but highly exploitable security issue in Microsoft Silverlight (Microsoft's answer to Adobe Flash, and a graphics focused development environment for building websites) that could lead to a remote code execution scenario. As Silverlight provides runtime support for both Apple Macs and Windows platforms, this vulnerability will affect both types of systems. As Microsoft has not published any workarounds or mitigating strategies, add this update to your standard patch deployment program.
MS16-007 — Important
MS16-007 attempts to address seven reported vulnerabilities in Microsoft Windows that could at worst lead to a remote code execution situation if an attacker is able to login to a target system and run a specially crafted application. Unlike other memory corruption issues, this patch attempts to address a DLL loading vulnerability that affects all currently supported Windows platforms. Microsoft has not published any workarounds for this issue, and so add this update to your standard patch deployment effort.
MS16-008 — Important
MS16-008 is another important update from Microsoft that attempts to resolve two reported vulnerabilities in the Windows kernel. Both of these reported vulnerabilities have the highest exploitability index from Microsoft as they could allow an attacker to run code in the system context. However, an attacker would have to successfully log on to the target system to run this code. Don’t let Microsoft's rating of important (rather than critical) fool you. This is a serious vulnerability, that if run in conjunction with another vulnerability, could provide system level (root) access to a remote attacker. In addition, the patch manifest is updating Ntoskrnl.exe which at a Windows system level is comparable to the CEO of a large technology organisation. Changing this file (or person) is a big deal. I suggest a significant testing profile for this update. Include power management features for your servers and any virtualisation technology that delivers production level services -- and then maybe wait a few days.
MS16-009 — Important
This update has not been released yet and I expect it to be released sometime in the latter part of February. Watch this space, as it may be a high priority update.
MS16-010 — Important
MS16-010 is the final update for this January Patch Tuesday from Microsoft and it attempts to resolve four reported vulnerabilities in Microsoft Exchange Server. These four vulnerabilities have a low exploitability rating from Microsoft and this update appears to update the install and configuration components of Exchange rather than the core mail handling functionality. Add this update to your standard server update deployment effort.
This January also marks the end of support for all previous versions of Microsoft Internet Explorer. From January 12th, only the latest version of IE (that means IE 11) will be supported with a few exceptions related to some Point of Sale (POS) versions of Windows XP.