Unfortunately, education isn’t always effective — last year, ransomware cost victims more than $18 million The ransom fees varied from $200 to $10,000.
Recently, I noticed several cases when this type of vulnerability could have been avoided if the IT department had adopted a regular patch-deployment process. Even so, businesses that have adopted a regular patching process still become affected. The question is, Why did they remain susceptible? I wonder, are security officers using patch severity level alone when deciding which patches to apply immediately? Could this be a root cause?
Our research indicates that remote-code execution flaws offer ransomware purveyors the most opportunities to infect systems by targeting specific flaws in software or programs. My advice: Apply immediately any patch that fixes a remote-code execution.
In the latest 13 bulletins released by Microsoft, there are a total of nine remote-code execution vulnerability types. There is a good chance that one of these is being used to deploy the so-called drops on unpatched systems.
Also note that there is a general misconception that Apple’s Mac OS is not as prone to cyberinfections as Windows. This rings true for viruses, but malware and ransomware are on the increase for Macs. For example, more than 6,000 users of an app were affected on a single weekend when an attack tampered with the BitTorrent client code. By using a stolen developer certificate and re-signing the Transmission app, the built-in gatekeeper protection was bypassed.
There is no doubt that Mac OS ransomware will continue to pop up as attackers search for new and better ways to entrap users. While Apple’s Gatekeeper usually stops untrusted applications, it’s advisable to download only vetted apps from Apple’s App Store.
Patches:
MS16-037 & MS16-038 resolve six vulnerabilities each for Internet Explorer and Edge; the flaws could allow remote-code execution if a user views a specially crafted Web page using Internet Explorer. Note that a specially crafted Web page is increasingly becoming the tool of choice for the dispersal of ransomware.
MS16-039 resolves four vulnerabilities in .NET Framework, Microsoft Office, Skype for Business and Microsoft Lync. If users open a specially crafted document or visit a Web page that contains specially crafted embedded fonts, they could infect their systems if they have local admin access.
MS16-040 resolves a vulnerability that could allow remote-code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. When in control, depending on the user’s network privileges, the attacker could access data and or install further applications, including malware.
MS16-041 resolves a vulnerability in the Microsoft .NET Framework. A malicious application could be a Trojan or similar program designed for even greater infiltration of the system and potentially to steal data.
MS16-042 resolves four vulnerabilities in Microsoft Office that could allow remote-code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploits the vulnerabilities could run arbitrary code in the context of the current user. The attacker gains full control of the device and access to other machines across the network.
MS16-044 resolves a vulnerability in Microsoft Windows that could allow remote-code execution if Windows OLE fails to validate user input properly. Users become open to attack once they are convinced to click on a malicious URL or visit a malicious Web page.
MS16-045 resolves three vulnerabilities in Microsoft Hyper-V. The most severe of the vulnerabilities could allow remote-code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Users that do not have the Hyper-V role installed are not affected by this vulnerability.
MS16-046 resolves a vulnerability where an attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. This vulnerability is classified as Important by Microsoft and affects all versions of Windows 10.
MS16-047 resolves vulnerabilities in Microsoft Windows that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user. A man-in-the-middle attack occurs when an attacker re-routes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker while thinking they are communicating only with the intended user.
MS16-048 could allow security-feature bypass if an attacker logs on to a target system and runs a specially crafted application. The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.
MS16-049 resolves a vulnerability in the HTTP protocol stack that could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.
MS16-050 resolves multiple vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10. This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. It will no doubt have a mirrored release from Adobe in it Patch Tuesday bulletin.
The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0 to 10.0 are High, those in the range 4.0 to 6.9 are rated Medium, and 0 to 3.9 are considered Low.
Updates:
MS16-037: Cumulative Security Update for Internet Explorer (3148531)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged-on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs, as well as view, change, or delete data, and even create new accounts with full user rights.
MS16-038: Cumulative Security Update for Microsoft Edge (3148532)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted web page using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
MS16-039: Security Update for Microsoft Graphics Component (3148522)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a web page that contains specially crafted embedded fonts.
MS16-040: Security Update for Microsoft XML Core Services (3148541)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote-code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.
MS16-041: Security Update for .NET Framework (3148789)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 9.3)
This security update resolves a vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.
MS16-042: Security Update for Microsoft Office (3148775)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker, who successfully exploited the vulnerabilities, could run arbitrary code in the context of the current user. Customers, whose accounts are configured to have fewer user rights on the system, could be less impacted than those who operate with administrative user rights.
MS16-044: Security Update for Windows OLE (3146706)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 9.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote-code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a Web page or an email message.
MS16-045: Security Update for Windows Hyper-V (3143118)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 7.4)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote-code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
MS16-046: Security Update for Secondary Logon (3148538)
(Restart: Requires Restart, Vulnerability Impact: Elevation of Privilege, Severity: Important, CVSS Score: 7.2)
This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.
MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527)
(Restart: Requires Restart, Vulnerability Impact: Elevation of Privilege, Severity: Important, CVSS Score: 4.3)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user.
MS16-048: Security Update for CSRSS (3148528)
(Restart: Requires Restart, Vulnerability Impact: Security Feature Bypass, Severity: Important, CVSS Score: 7.2)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.
MS16-049: Security Update for HTTP.sys (3148795)
(Restart: Requires Restart, Vulnerability Impact: Denial of Service, Severity: Important, CVSS Score: 7.8)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.
MS16-050: Security Update for Adobe Flash Player (3154132)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 10)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.
This article was originally published on Channel Partners.