March Patch Tuesday Closes Holes in Internet Explorer, Edge Browsers

Despite ending support for Internet Explorer 9 in January, Microsoft continued to issue patches.

Microsoft released 13 bulletins, including five critical updates to address remote code execution vulnerabilities, for March Patch Tuesday.

Both Internet Explorer (IE) and Microsoft Edge browsers received critical cumulative security updates that addressed remote code execution (RCE) vulnerabilities. MS16-023 resolves 13 vulnerabilities in IE that could give an attacker the same user rights as the current user and could allow the attacker to take control of the affected system.

Of the 13 vulnerabilities MS16-023 addresses, five are for IE 9, which was supposed to be decommissioned in January.” actually replaces MS16-009 from the last baseline. MS16-009 was the very first patch that included support for IE9 after they officially depreciated the support,” said Robert Brown, director of services for Verismic Software. “So a lot of our customers are very happy because they are not ready to upgrade Internet Explorer 9 yet.”

The second critical cumulative security update, MS16-024, resolves 11 vulnerabilities in the Edge browser that could give an attacker the same rights as the current user.

Both browsers have received cumulative security updates every month since September 2015. “Because the Web gets more complicated and because it is always changing, it makes it very challenging to patch,” said Wolfgang Kandek, CTO for security vendor Qualys Inc., in Redwood City, Calif. “At this point, it is a certainty that the browsers will get an update every month.”

Some vulnerabilities rated more urgent

Microsoft has its scoring system, but it doesn’t always recognize the severity of its vulnerabilities correctly, said Brown. Its ratings are not always in alignment with the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of a security vulnerability on a scale of 0 to 10. MS16-023 has a CVSS of 9.3 and is rated as critical by Microsoft, but MS16-025 has the same CVSS and is only rated important.

Some security analysts feel this important bulletin should be at the top of a Windows Server administrator’s to-do list because “that’s a vulnerability in the Windows library that will affect Windows Server systems, even if no one is logged into it,” said Brown.MS16-025 could allow an intruder to perform RCE through a vulnerability in the Microsoft Windows library for systems running Windows Vista and Windows Server 2008. The attacker would first need to get behind a system’s defenses to execute this attack.

Although Microsoft rated the updates for IE and Edge as critical, they did not receive the highest priority for the Windows Server operating system, said Brown.

“It’s very unlikely that anyone is using Internet Explorer on a server,” he said. “Usually servers are running in the background and don’t have an active user .”

Read the full article at