Critical patches target privilege escalation
Half of the sixteen Microsoft bulletins in this month's Patch Tuesday (16 May) are rated “critical” importance and the other half “important”.
Most of the released bulletins resolve Remote Code Execution (RCE) and Elevation of Privilege vulnerabilities in affected software such as IE and Edge browsers, Journaling, IIS, Kernel, RPC, .NET, Flash, and Media Centre. In addition, three bulletins provide security updates for Information disclosure and Security Feature Bypass.
“We've come to expect and continue to see both privilege elevation and remote code execution vulnerabilities month after month.” David Picotte, Rapid7's engineering manager wrote to SCMagazineUK.com.
MS16-051 fixes a critical remote code execution vulnerability affecting Internet Explorer. “CVE-2016-0189 is a vulnerability predominantly exposed via Internet Explorer (IE) that allows maliciously crafted sites to exploit a remote code execution (RCE) vulnerability. This CVE, in particular, stands out as Microsoft has already detected its active exploitation in the wild. If administrators can't patch their systems quickly, Microsoft has provided a workaround in MS16-051 that'll simply disable the VBScript.dll and JScript.dll functionality, a crude, but effective, means of reducing your risk.” David Picotte added.
Microsoft Edge is also on the list of affected software and similar to IE, it has a critical RCE vulnerability fixed by MS16-052.
MS16-053 resolve a RCE vulnerability in JScript and VBScript that is limited to Windows Vista and 2008 SP2, according to comments of Jon Rudolph, principal software engineer at Core Security emailed to SCMagazineUK.com.
MS16-057 piqued the interest of Bobby Kuzma, CISSP, systems engineer at Core Security; he commented in an email to SCMagazineUK.com, “It's a memory handling vulnerability impacting the Windows Shell, which we haven't seen for a while. It looks like it was introduced in Windows 8, which is a relief as XP is no longer receiving updates and Vista is fast approaching obsolescence.”
“MS16-058 is concerning, despite only impacting Vista and Server 2008 IIS installations. It allows remote code execution in the context of the IIS user, which may be problematic in certain application scenarios where least privilege is not observed,” Kuzma added.
MS16-065 and MS16-67 bulletins resolve important information disclosure vulnerabilities for .NET framework and Volume Manager Driver respectively. The former allows an attacker act as a man-in-the-middle (MiTM) by injecting unencrypted data into the target secure channel.
MS16-066 security update addresses an important security feature bypass vulnerability that allows an attacker to bypass code integrity protection in Microsoft Windows.