Microsoft Edge: A Poison Pill?

With March just around the corner, now is a good time to get a head start on spring cleaning. Updating your customers’ Microsoft software should be at the top of your list.

This month’s Patch Tuesday brings 13 bulletins that resolve more than 40 vulnerabilities. Of these 13 bulletins, six are rated “critical,” with the remainder rated “important.” Extra vigilance is critical, and end user education is strongly recommended. This month, seven vulnerabilities are marked as Remote Code Execution; these exploits seek to trick employees into downloading innocent-looking viruses. We had seven of these vulnerabilities last month, too. Make sure you warn customers that their employees are the target du jour.

This month’s patch release highlights some ongoing Microsoft product instability issues — many of which are being discovered by competitors, including Google, many of which now have dedicated teams specifically focused on vulnerability assessment.

For example, we now see MS 16-009 patching IE9: Has Microsoft made a U-turn after announcing only last month that pre IE11 versions are being deprecated? This move could have come as a result of the “Google vs. Microsoft: Game of Flaws” article written by Kaspersky last month. The article revealed that Google stuck to its 90-day disclosure rule and informed Microsoft of a vulnerability only two days before its Patch Tuesday releases, much to the annoyance of Chris Betz, senior director of the Microsoft Security Response Center.

MS 16-022 also makes an appearance in this baseline. It is reported to solve over 20 individual fixes and should be earmarked as a priority, says Wolfgang Kandek, CTO of Qualys. “MS16-022 leads our priority list at Qualys for this month, but none of the vulnerabilities described is in the use in the wild,” says Kandek.

Microsoft Edge: A Poison Pill?

Microsoft Edge was released in October 2015, along with Windows 10. While Microsoft considers Edge its flagship browser, it hasn’t seen widespread enterprise adoption yet. That doesn’t, however, mean Edge isn’t installed on plenty of desktops.

Many companies believe that if an application is not in use then it does not need to be patched. Wrong. Industry research found that 80 percent of vulnerabilities were exploited after IT departments stopped patching software they were done using. Companies that have Microsoft Edge installed are leaving themselves exposed to an attack, even if employees are not using it.

And note that often it is not the program that is vulnerable, but the binary files within the operating system, says James Rowney, service manager for Verismic. “For the last four months the Edge browser has on average more updates than IE,” says Rowney. “And, since the pre IE11 updates were deprecated last month, we would highly recommend the Edge update be considered as a priority even if you don’t use it.”

We highly recommended that you deploy all the critical vulnerabilities at your earliest convenience, with particular emphasis on MS16-009, MS16-011, MS16-015 and MS16-022 in this priority order. This recommendation is justified by combining the vendor severity, vulnerability impact and expected exploits.

The independent CVSS scores used below range from zero to 10. Vulnerabilities with a base score in the 7.0 to 10.0 range are High, those in the range of 4.0 to 6.9 are Medium, and zero to 3.9 are Low.

Bulletin ID Description Impact Restart Requirement Severity Rating
MS16-009

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Remote Code Execution Requires restart Critical
MS16-011

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution Requires restart Critical
MS16-012

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if Microsoft Windows PDF Library improperly handles application programming interface (API) calls, which could allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. However, an attacker would have no way to force users to download or open a malicious PDF document.

Remote Code Execution May require restart Critical
MS16-013

This security update resolves vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Remote Code Execution May require restart Critical
MS16-014

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application.

Remote Code Execution Requires restart Important
MS16-015

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution May require a restart Important
MS16-016

This security update resolves vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server.

Elevation of Privilege May require a restart Important
MS16-017

This security update resolves vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Elevation of Privilege Requires restart Important
MS16-018

This security update resolves vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. A reboot is required to complete this update.

Elevation of Privilege Requires restart Important
MS16-019

This security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could cause denial of service if an attacker inserts specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.

Denial of Service May require restart Important
MS16-020

This security update resolves vulnerability in Active Directory Federation Services (ADFS). The vulnerability could allow denial of service if an attacker sends certain input data during forms-based authentication to an ADFS server, causing the server to become nonresponsive.

Denial of Service May require restart Important
MS16-021

This security update resolves vulnerability in Microsoft Windows. The vulnerability could cause denial of service on a Network Policy Server (NPS) if an attacker sends specially crafted username strings to the NPS, which could prevent RADIUS authentication on the NPS.

Denial of Service May require restart Important
MS16-022

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.

Remote Code Execution Requires restart Critical