Patch Tuesday Analysis - February 2016

Editor's Notes

• #7: http://news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml https://www.adobe.com/products/flashplayer/distribution3.html
• #8: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. 
• #9: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Many of the vulnerabilities target a user to exploit. https://support.microsoft.com/en-us/kb/3134814 Includes 7 non-security fixes as well. Most of the vulnerabilities are exploiting objects in memory. An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory.
• #10: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. 4 of 6 were common across IE and Edge. Those 4 were all memory corruption vulnerabilities like in IE. Many of the vulnerabilities target a user to exploit.
• #11: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Discrepancy: Calls out Server Core, but update would not install on core. WSUS also does not offer for Core. Either they will push a re-release or pull the doc discrepancy. This is PDF related so would Core really be affected? Vulnerabilities target a user to exploit. For an attack to succeed, a user must open a specially crafted Windows Reader file with an affected version of Windows Reader. In an email attack scenario, an attacker would have to convince the user to open a specially crafted Windows Reader file. The update addresses the vulnerability by modifying how Windows Reader parses files.
• #12: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. For an attack to be successful, this vulnerability requires that a user open a specially crafted Journal file with an affected version of Windows Journal. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Journal file to the user and then convincing the user to open the file.
• #13: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Publicly disclosed CVE-2016-0040 Known issue # 1 https://support.microsoft.com/en-us/kb/3126593 (KB3126587) Customers using Corel VideoStudio X8 or Corel VideoStudio X9 on Windows 7 may experience a crash while launching or using that product. Customers should install the latest updates from Corel to prevent this issue, or contact Corel for more information and help. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. Known issue # 1 https://support.microsoft.com/en-us/kb/3126593 (KB3126593) After you install this security update, the behavior of searching for DLLs to load in certain scenarios (specifically, when loading implicit dependencies of COM server DLLs) will be changed from the previous behavior in the following way: Unless a prefix of the current directory’s full path is in the Safe Load List, the current directory will be skipped during the search (notice that previously, the current directory was used to search for the DLL). This new behavior may affect some legacy application behavior, and when the DLL loader notices this possible change in behavior, a warning or error message that resembles one of the following may be displayed in the Application log that is available in Event Viewer:The following warning message indicates the dependency file was not loaded from the current working directory (CWD) because of it not being trusted, but was found in another location:Loading dependency %2 from the current directory was not allowed when attempted by %1. Another DLL was found: %3. The following error message indicates the DLL was not loaded from the current working directory (CWD) because of it not being trusted, and was not found at all.Loading dependency %2 from the current directory was not allowed when attempted by %1. No other DLL was found and the dependency resolution failed. In both cases, %1 is the full path to the application process’s executable (.exe) file, and %2 is the full path if the DLL is found in the CWD. If the application requires the old dependency loading behavior for its correct operation for a specific directory, you can achieve this scenario by adding this directory or its trusted ancestor to the Safe Load List. To do this, follow these steps:Make sure that your trusted location, together with all its descendant tree, is protected properly from unauthorized modifications by NTFS permissions. Add a string value to the following subkey in the registry in which the data is the full path to that trusted location:HKLM\System\CurrentControlSet\Control\Session Manager\Safe Load Prefixes After you make these changes, as long as the CWD is under that location, the DLLs in that CWD will be trusted and loaded as before. Known issue # 2 Customers using Corel VideoStudio X8 or Corel VideoStudio X9 on Windows 7 may experience a crash while launching or using that product. Customers should install the latest updates from Corel to prevent this issue, or contact Corel for more information and help. The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
• #14: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. MS updated an older Security Advisory relating to RDP from last nights release. https://technet.microsoft.com/en-us/library/security/2871997 there was also a hidden KB that is not in the bulletin, but was available to deploy. CVE-2016-0039 (Publicly Disclosed) Microsoft SharePoint XSS Vulnerability – CVE-2016-0039 An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests. I have Microsoft Word 2010 installed. Why am I not being offered the 3114752 update? The 3114752 update only applies to systems running specific configurations of Microsoft Office 2010. Some configurations will not be offered the update.
• #15: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
• #16: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. To fully update Flash Player you must apply the IE Security Advisory, Google Chrome update, Mozilla Firefox and the Flash Player install.
• #17: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Also includes support for updated Flash and the 22 fixes for Adobe Flash Plug-In. To fully update Flash Player you must apply the IE Security Advisory, Google Chrome update, Mozilla Firefox and the Flash Player install.
• #18: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. http://www.oracle.com/technetwork/java/javase/8u73-relnotes-2874654.html Oracle recommends removing all older install media from your network.
• #19: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. WebDAV Elevation of Privilege Vulnerability - CVE-2016-0051 An elevation of privilege vulnerability exists in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client when WebDAV improperly validates input. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Workstations and servers are primarily vulnerable to this attack. The update addresses the vulnerability by correcting how WebDAV validates input.
• #20: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Known issues in security update 3126446 https://support.microsoft.com/en-us/kb/3134700 You may have to restart the computer multiple times after you install this security update on a Windows 7-based computer that is running RDP 8.0.  Remote Desktop Protocol (RDP) Elevation of Privilege Vulnerability - CVE-2016-0036 An elevation of privilege vulnerability exists in Remote Desktop Protocol (RDP) when an attacker logs on to the target system using RDP and sends specially crafted data over the authenticated connection. An attacker who successfully exploited this vulnerability could execute code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the target system by using the Remote Desktop Protocol (RDP). An attacker could then run a specially crafted application that is designed to create the crash condition that leads to elevated privileges. The update addresses the vulnerability by correcting how RDP handles objects in memory.
• #21: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Kernel-Mode Driver update. Test well. Win32k Elevation of Privilege Vulnerability - CVE-2016-0048 An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
• #22: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. 4.5.2 is only supported version of 4.5. https://support.microsoft.com/en-us/gp/framework_faq/en-us 1. What is the Microsoft Support Lifecycle policy for .NET Framework?  (reading between the lines, pretty much like IE. If it is OS level it is supported until EOL of OS, but as separate product install you should upgrade)In March 2010, Microsoft announced that beginning with .NET Framework 3.5 Service Pack 1 (SP1), the .NET Framework is defined as a component instead of an independent product. As a component, .NET Framework version 3.5 Service Pack 1 (SP1) or later assumes the same Support Lifecycle policy as its underlying Windows operating system. On August 7, 2014, Microsoft announced that support will end for .NET Framework 4, 4.5, and 4.5.1 on January 12, 2016. Customers and developers need to have completed the in-place update to .NET Framework 4.5.2 by January 12, 2016 to continue receiving technical support and security updates. Support for .NET Framework 4.5.2, as well as all other .NET Framework versions such as 3.5 SP1, will continue to be supported for the duration of the operating system support lifecycle. Additional information on the history of .NET Framework support lifecycle is available below.
• #23: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Microsoft Active Directory Federation Services Denial of Service Vulnerability - CVE- 2016-0037 A denial of service vulnerability exists when Active Directory Federation Services (ADFS) attempts to process certain input during forms-based authentication. An attacker who successfully exploits this vulnerability by sending certain input during forms-based authentication could cause the server to become nonresponsive. The update addresses the vulnerability by adding additional checks on input data during forms-based authentication.
• #24: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. Has a Core patch, but also failed to install. We will be watching for a rerelease on this one. Network Policy Server RADIUS Implementation Denial of Service Vulnerability – CVE-2016-0050 A denial of service vulnerability exists when a Network Policy Server (NPS) improperly handles a Remote Authentication Dial-In User Service (RADIUS) authentication request. An unauthenticated attacker who successfully exploited this vulnerability could send specially crafted username strings to a Network Policy Server (NPS) causing a denial of service condition for RADIUS authentication on the NPS. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights. To exploit the vulnerability, an attacker would need to have network access to the affected NPS and then create an application to send specially crafted RADIUS authentication requests to the NPS. The security update addresses the vulnerability by changing how the NPS parses username queries when implementing RADIUS.
• #26: Sign up for Content Announcements: Email http://www.shavlik.com/support/xmlsubscribe/ RSS http://protect7.shavlik.com/feed/ Twitter @ShavlikXML Follow us on: Shavlik on LinkedIn Twitter @ShavlikProtect Shavlik blog -> www.shavlik.com/blog Chris Goettl on LinkedIn Twitter @ChrisGoettl Sign up for webinars or download presentations and watch playbacks: http://www.shavlik.com/webinars/