Historically, May has been a big month for Microsoft updates. This May, we see 16 updates, covering all versions of Windows, IE and Edge as well as an update for Adobe Flash player.
With eight updates rated as critical and the remaining patches rated as important, Microsoft seems to have adopted a new clustering approach to patches. We have seen pairings of IE and Edge in the past, but this month we see core components (VBscript and JScript) linked with browser updates. In addition, we also have kernel updates linked to kernel mode driver updates (MS16-060 and MS16-061). We are also missing MS16-063! And, this month we also get the benefit of a nice looking infographic from Shavlik.
This is a really big patch release from Microsoft, so I suggest you take some time to test out some of the core system component updates. Patch the Adobe and browser updates (MS16-051 and MS16-052) as a matter of urgency. But maybe wait on the .NET update (MS16-065) for a few days to get some more clarity on the patch changes.
MS16-051 — Critical
MS16-051 is the first update from Microsoft for this May Patch Tuesday and replaces last month’s update to Microsoft Internet Explorer (IE), MS16-037. It attempts to resolve five reported issues that could lead to a potential remote code execution scenario on a compromised machine. This update attempts to resolve more memory corruption issues with the JScript and VBScript scripting engines. Due to a publicly disclosed and exploited vulnerability in these scripting engines, this is a “patch now” update from Microsoft
MS16-052 — Critical
MS16-052 deals with four reported vulnerabilities in Microsoft Edge, two of which attempt to address similar scripting engine memory corruption issues to those raised in IE. It appears that all of these vulnerabilities in Microsoft Edge are exposed to a specially crafted web site where an attacker could execute arbitrary code leading to a remote code execution scenario.
MS16-053 — Critical
MS16-053 attempts to address the two core scripting engine (VBScript and JScript) vulnerabilities not covered by the previous IE and Edge updates. This patch is targeted at older operating systems (Vista and Server 2008) and appears to offer some protection for older systems that do not have the latest version of IE installed. While neither of the two issues has been publicly disclosed, one has been exploited in the wild, so make this Microsoft update a priority in your patch deployment effort.
MS16-054 — Critical
MS16-054 is a critical Microsoft update that addresses four privately reported vulnerabilities in all of the currently supported versions of Office, with the potential to lead to a remote code execution scenario. This is large security update that also includes a significant number of feature level fixes. If you are heavily dependent on scripting automation with Microsoft Office, you may want to test your line-of-business (LOB) applications for any gaps in script handling. Add this update to your priority patching effort.
MS16-055 — Critical
The next critical updatem MS16-055, addresses five vulnerabilities in the key Windows Graphics system component. This update affects all supported versions of Windows and, if left unpatched, could lead to a remote code execution scenario. There are a number of memory handling and corruption issues that are raised with this update. Make this patch a priority in your deployment effort.
MS16-056 — Critical
MS16-056 is a critical update that addresses a single reported vulnerability in the Windows Journal (JNT) component that could lead to remote code execution scenario. This update changes the way Journal files are handled, so that an attacker is not able to exploit these memory related issues and execute arbitrary code with the same security privileges as the logged on user.
MS16-057 — Critical
MS16-057 attempts to resolve a single reported memory handling vulnerability in the Windows Shell that could lead to a remote code execution scenario on a compromised machine. Add this update to your standard deployment effort.
MS16-064 — Critical
The final update rated as critical by Microsoft for May is security release MS16-064. Like last month, this is actually not an update to a Microsoft product, but an update to Adobe Flash Player. At the time of writing, not all the information is publicly available. However, it looks like this update will be associated with 23 issues and a critical zero-day exploit. This is an absolutely urgent “patch now” update from Microsoft and Adobe.
MS16-058 — Important
MS16-058 addresses a single privately reported vulnerability in Microsoft’s Internet Information Server (IIS). Due to a problem with how Microsoft handles library loading (DLL’s) issues, an attacker with local access to the compromised system could initiate a remote code execution scenario. Recent versions of IIS are not affected, and with a local access requirement to exploit this vulnerability, adding this update to your standard deployment effort is sufficient.
MS16-059 — Important
MS16-059 attempts to address a single reported vulnerability in Windows Media Centre Link (MCL) files that could lead to a remote code execution scenario. An attacker would have to direct a user to a specially crafted web page to execute code on the compromised machine and so the exploitability index is relatively low. We have seen a number of these issues with Media Centre in the past. As noted before, for most enterprises the potential impact for making this update is low. Add this update to your standard patch deployment effort.
MS16-060 — Important
MS16-060 attempts to resolve a single privately reported issue in the key Windows component, the Windows Kernel. Interestingly, this update is paired with MS16-061 as both attempt to resolve memory handling and link parsing issues in key Windows components.
MS16-061 — Important
A single privately reported vulnerability in the Microsoft Remote Procedure Call (RPC) component is addressed with MS16-061. This update attempts to resolve another memory corruption issue in a key Windows component that could lead to a remote code execution scenario. Add this update to your standard patch deployment effort.
MS16-062 — Important
MS16-062 attempts to resolve four privately reported vulnerabilities in the way Windows handles memory addresses which could lead to an elevation of privilege scenario on a compromised system. This update directly affects the DirectX kernel component and how it handles internal kernel memory.
MS16-065 — Important
MS16-065 is a pretty significant update for the .NET framework that attempts to address a single privately reported vulnerability that may lead to a man-in-the-middle (MITM) attack resulting in an information disclosure security scenario. This update affects all currently supported versions of the Microsoft .NET framework and therefore all versions of Windows. It appears that the file manifest for this update is currently obfuscated at the time of writing, so I cannot advise on the nature or scale of the changes included.
MS16-066 — Important
MS16-066 addresses a single, privately reported vulnerability in how Windows allows certain kernel mode memory pages to be accessed by specially crafted applications. It has a minimal impact profile, and so add this patch to your standard patch deployment effort.
MS16-067 — Important
MS16-067 addresses a single privately reported vulnerability in the Microsoft Volume Manager Driver that has a minimal impact profile. Add this update to your standard patch deployment effort.