Following Microsoft’s recent practice of issuing large updates covering multiple versions of Microsoft IE, Office as well as both desktop and server OS platforms, the 13 updates for March probably represents the new “average” Patch Tuesday payload. Five of the updates are rated as critical, while the remaining eight are rated as important, together covering 44 newly reported security vulnerabilities. In addition to these Microsoft patches, I expect that we will see an update to Adobe’s Flash player.
If you are looking for a helpful infographic for this month’s patch cycle, check out Shavlik’s latest offering here.
MS16-023 — Critical
True to form, the first two browser updates from Microsoft for the month of March include changes to both Microsoft IE and Edge. MS16-023 attempts to address 13 privately reported vulnerabilities in Microsoft Internet Explorer (IE), all of which relate to memory corruption issues. The worst of these issues may lead to a remote code execution scenario if a user visits a specially crafted web page. This update affects all currently supported versions of IE. Given that Microsoft is currently supporting two branches of Windows 10, this update to IE will be included in the Windows cumulative update for March and the update release for windows 10 build 1511. This is a “Patch Now” update from Microsoft.
MS16-024 — Critical
Following on from this month’s update to Internet Explorer, the new Edge browser gets an update with MS16-024. This update to Microsoft’s latest browser attempts to resolve 11 privately reported vulnerabilities dealing with memory corruption issues (similar to MS16-023) which could lead to a remote code execution scenario. And, just like the March IE update, this patch will apply to both the current Windows 10 branch and the latest “insider build” 1511.
MS16-026 — Critical
MS16-026 attempts to address two less serious vulnerabilities in the graphics fonts component of Windows. This critical update from Microsoft reflects another attempt by Microsoft to resolve vulnerabilities in the Adobe Type Manager, a notorious and repeat offender in the Windows update cycle. I believe that the reason for the critical rating from Microsoft for this update relates to the sheer number of attack vectors whereby a target system could be compromised. Add this patch to your standard patch release schedule.
MS16-027 — Critical
MS16-027 attempts to address two privately reported vulnerabilities that, left unpatched, could lead to a remote code execution scenario on a compromised machine. This Microsoft patch appears to be a relatively straightforward update to the Windows Media player component. There appears to be very little overlap between these updates files and most applications and so deployment is expected to be relatively low risk for most enterprises. Please add this to your standard deployment schedule.
MS16-028 — Critical
The final critical update for this March Patch Tuesday release cycle is MS16-028 which attempts to resolve two privately reported issues with the Windows PDF component that if left unpatched could lead to a remote code execution scenario on a compromised system. This update is most likely rated as critical as a target system could be compromised if a user clicks on a specially crafted PDF file. This is a pretty common occurrence for most people and hard to defend against. Add this update to your priority patch schedule.
MS16-025 — Important
The first important update to the Windows platform for this Microsoft “Update Tuesday” is MS16-025 which attempts to resolve a single reported vulnerability when Windows loads external code libraries (DLL’s). Interestingly, this update replaces MS11-085 which was released in 2011 in an attempt to resolve a mail extension issue which could have led to propagation of computer worms through Windows email clients. This small Microsoft patch attempts to update the Windows Address book (WAB) suite of code libraries, so I suggest that you test your mail clients (Outlook) before adding this update to your standard patch deployment schedule.
MS16-029 — Important
MS16-029 addresses three privately reported vulnerabilities in Microsoft Office that could lead to a remote code execution scenario in all currently supported versions of Microsoft Office. This is a really big update that also includes approximately 30 other fixes and functionality updates to all versions of Microsoft Office. These updates contain changes to core system components (e.g. winword.exe) and most of the supporting Office libraries. If your core line of business applications have a key dependency on how Microsoft handles PDF’s, UNC names or VBA automation then you will need to create a specific test suite for this update that includes Office, this update and your core applications before deploying this update to production.
MS16-030 — Important
MS16-030 attempts to address two privately reported vulnerabilities in the core Windows OLE (Object Linking and Embedding) component that could lead to a remote code execution scenario on a compromised system. This Microsoft patch attempts to update almost the entire set of libraries of Microsoft OLE libraries. Though OLE components are used less and less these days, some of your older (read VB) applications may need some smoke testing before deployment of this patch.
MS16-031 — Important
MS16-031 addresses a single reported memory corruption vulnerability that affects all currently supported versions of Windows. Microsoft has not published any mitigating factors or workarounds and if an unpatched system is compromised it could lead to an elevation of privilege scenario. Add this update to your standard patch deployment schedule.
MS16-032 — Important
MS16-032 is an important update from Microsoft that also addresses a single memory handling vulnerability. This time a weakness in how Windows Logon manages requests could lead to an elevation of privilege security issue. Add this update to your standard patch schedule.
MS16-033 — Important
MS16-033 addresses a single privately reported vulnerability in the Windows USB storage driver component that if left unpatched could lead to an elevation of privilege scenario. This update affects all supported versions of Windows desktops and servers and Microsoft has not published any mitigating factors or workarounds. Add this update to your standard patch schedule.
MS16-034 — Important
When it comes to Patch Tuesday, always watch out for the second to last update. This is where Microsoft can sometimes sneak in a key driver update under the radar. MS16-034 attempts to resolve four privately reported elevation of privilege security issues in a key system level driver. Of all of the updates to Win32k.sys, this update looks the least worrisome. That said, it will need testing with your core application set. I suggest pairing MS16-033 and MS16-034 together in a test suite and then performing a number of reboots while adding and removing an external USB storage device. After that, add this update to your standard patch schedule.
MS16-035 — Important
The final update rated as important for this March Update Tuesday release is MS16-035 which attempts to resolve a single reported vulnerability in the Microsoft .NET framework. If left unpatched, a compromised system could allow a security feature bypass where certain XML data elements may not be validated correctly. Add this update to your standard patch schedule.