This April, Microsoft has released another large batch of Windows updates with six rated as critical and the remaining seven rated as important.
Although there has been a large amount of hype relating to the latest security scare (BadLock), the real issue this month is the Adobe Player vulnerability addressed in MS16-050. Both Microsoft browsers require urgent updates due to more memory corruption issues (MS16-037 and MS16-038). I am not quite sure that Microsoft does this deliberately, but it seems that every month, the second to last update rated as important could be considered a little “worrisome.” This month it's MS16-048, which updates a key windows system (that handles logins) that may require some additional testing before production deployments.
Here’s the link to Shavlik’s helpful Patch Tuesday infographic that outlines the risks and exploitability of all these patches.
MS16-037 — Critical
MS16-037, the first update from Microsoft for this April Patch Tuesday, follows form with a critical update for Microsoft Internet Explorer (IE). This update attempts to resolve six issues that could lead to a remote control security scenario where a compromised machine could allow an attacker the same privileges as a logged on user. It looks like all six issues relate to memory corruption or library loading issues. This update is a complete refresh of the IE system files (EXE’s and DLL’s) and will require a restart. It also looks like the exploitability ratings for these six privately reported issues are quite high, so this IE update is a "Patch Now” update.
MS16-038 — Critical
The critical update for Microsoft Edge for April (MS16-038) has the same number and type of security vulnerabilities as those patched in MS16-037. Both Edge and IE appear to share the same memory corruption issue raised in the CVE entry CVE-206-0154. This seems a little odd as this issue relates to how objects are handled in memory. With most of these security issues, the exploitability (potential exposure) is actually higher than those same issues raised in the older IE browser. Very like its legacy browser brother, this is a "Patch Now" update from Microsoft.
MS16-039 — Critical
MS16-039 is rated as critical by Microsoft and attempts to resolve four privately reported, highly exploitable vulnerabilities in a key Windows component, that could lead to a remote code execution scenario. This update affects all supported versions of Windows and in particular is a critical update for both Skype for Business and Microsoft Lync. The patch manifest only appears to contain two system level files (Win32k.sys and GDIPlus.dll). Unfortunately, many legacy applications have direct binding to both these files and subsequent updates or patches tend to cause application or Operating System (OS) crashes. Test your core line-of-business applications before adding this update to your patch deployment schedule.
MS16-040 — Critical
MS16-040 updates a specific version of MSXML Services (Version 3.0) that could leave a compromised system vulnerable to remote code execution scenarios. Microsoft’s MSXML Core Services (MSXML) is a key Windows component that allows developers to use scripting languages to store and access data in the XML data format.
This is a rather odd patch though. Rather than focusing on the general XML Services libraries, this update focuses solely on one version: Version 3. We are currently on MSXML version 6, while version MSXML 3 was released with Windows XP. If you have legacy applications developed in the early Windows XP timeframe, you may want to thoroughly test their data handling features before deploying this Microsoft update.
MS16-042 — Critical
The last “solely Microsoft” and penultimate critical update for this April Patch Tuesday is MS16-042, that attempts to resolve four privately reported, non-exploited vulnerabilities in Microsoft Office, where the improper handling of a now-ageing Rich Text File format (RTF) could lead to a remote code execution scenario if a user opens a specially crafted Office file. Three of the four reported (and hopefully patched) vulnerabilities have a really low exploitability rating (equating at some level to a lower risk).
Why is this update rated critical by Microsoft? What is going on here? It's the older versions of Office! If you are running Microsoft Office 2007, then this a “Patch Now” update. Otherwise, add this update to your standard deployment schedule.
MS16-050 — Critical
The final update for this Microsoft “Update Tuesday” is an update to a non-Microsoft product. MS16-050 is an update to Adobe flash player that affects all modern Windows operating systems (Windows 8.x, Server 201x, Windows RT 8.x and Windows 10). Rather than following the usual Microsoft pages for your update summaries (found here for April), you can find more details about this Adobe update here. Microsoft does not list the associated reported vulnerabilities or their exploitability index. Unfortunately, this is also a “Patch Now” update.
MS16-041 — Important
The first update rated by Microsoft as important for this April is MS16-041, which attempts to resolve a single publicly reported vulnerability in the Microsoft .NET framework. This is a large update that will affect a lot of Server 2008 and Windows 7 systems. Test your core line of business applications that have a dependency on .NET 4.6.X before deploying this patch.
MS16-044 — Important
MS16-044 addresses a single privately reported vulnerability in the core Windows OLE component. If a specially crafted file is opened on a unmatched system, an attacker could run malicious code in the context of the logged on user. Microsoft has rated this vulnerability with a very low exploitability rating, and so add this update to your standard patch deployment schedule.
MS16-045 — Important
MS16-045 attempts to resolve four privately reported security issues with low exploitability. Add this update to your standard server patch schedule.
MS16-046 — Important
MS16-046 attempts to resolve a publicly reported vulnerability in the Windows Secondary Logon process which could lead to an elevation of privilege scenario. Add this update to your standard patch deployment effort.
MS16-047 — Important
The fourth update rated as Important for this April is MS16-047 which attempts to remediate a single, privately reported vulnerability in the Windows Logon Security and Domain (LSAD) policy. This looks like a low impact update from Microsoft, and so please add this patch to your standard deployment effort.
MS16-048 — Important
MS16-048 addresses a single privately reported vulnerability in the Windows Client/Server Runtime subsystem (CRSS). This is a vulnerability with low exploitability which at worst could lead to a security feature bypass scenario. CRSS is one of the core user-mode subsystems and handles important features like logins and application GUI handling. Updates to these areas have been known in the past to be the cause of Blue Screen of Death. Maybe wait a little while before deploying this update.
MS16-049 -- Important
MS16-049 updates a single file (HTTP.SYS) in the attempt to resolve a privately reported vulnerability that could lead to a denial of service scenario. Add this update to your standard patch deployment.