Beware: Windows 10 Feature Updates are Double Work!
Windows 10 Feature Updates (Windows 10 Servicing) will dominate the agenda of many IT Managers as Microsoft uses their new release method to introduce new operating system experiences and security enhancements for their flagship operating system. These are scheduled for release every 6 months until the end of extended support in October 2025.
Before you start your journey, you need to be aware that each feature update will have its own support for 18 months, forcing IT Managers to keep releasing these updates at least every 12 months. If you are still using Windows 10 version 1607, support has already ended.
Verismic recommends that IT managers plan out their Windows 10 Feature Updates as soon as it is publicly available. But Beware: upon installation of the Windows 10 Feature Update, any patch or update which has been deployed since the date of that feature update will have to be re-deployed to bring that system back up to date.
Robert Brown, Director of Services for Verismic says, “IT managers spend a lot of time planning and deploying their Windows updates each month. They need to understand that after installing any Windows 10 Feature Update, they will be effectively rolled back in time to the date of that release. Example Fig.1 below, next month if you apply 1803, you will have to re-deploy all updates since March – that could be over 40 updates per device. Use Syxsense to make re-deployment far easier and more efficient.”
Microsoft is giving IT Managers double the work, but Syxsense simplifies patching. Our Patch Manager quickly identifies any device in need of updates. Then a maintenance window can be created to deploy the updates after business hours, avoiding any loss in productivity.
Start a trial of Syxsense today.
Schedule Your Syxsense Demo
Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.
Earlier this month we learned that criminals gained access to certain files in Equifax’s system from mid-May to July by exploiting a weak point in website software.
The big lesson here: Prepare yourself; this will happen again. You should already assume you are affected by the Equifax hack, just to be safe. Here are three steps you should take to protect yourself.
It is becoming increasingly difficult for companies to protect online data. To prevent a catastrophe, it’s important to implement rigorous patch management methods.
Updates should be tested and deployed in a safe, but rapid fashion. Reports and audit logs should also be provided to track the status of any tasks or view any systems that have been improperly accessed.
Syxsense is the solution for managing your IT environment. Our content is thoroughly tested, so you can rely on a smooth deployment. Our reports and audit logs are detailed, so you won’t miss any critical information. With two-factor authentication and 2048-bit encryption, you won’t have to worry about your IT tool being a weak point.
Secure your environment and discover a better way to manage with Syxsense.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]
2016 was a big year for Syxsense. As a company, we are constantly growing, adding new features and always focused on our customers.
IT systems management is frequently changing and it’s crucial to keep up with the latest news, strategies and updates. Every month, we share the latest Microsoft and third-party patches, explaining which to prioritize and how to implement the most effective patch strategy.
With plenty of changes on the way for 2017, be sure to stay on top of patching and IT systems management in the new year. Even when other tasks fill up your to-do-list and seem more important, prioritizing patching is the best New Year’s resolution for any IT manager. Explore the highlights and some of our favorite content from the past year.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
New year, new steer for Microsoft patching professionals
Microsoft has released four bulletins in total of which two are rated Critical and 2 rated Important. Last week, they released 22 KB non-security updates for Office 2013 / 16 and an update for Word Viewer.
Overall, this is a fairly uneventful release for the first month of 2017 with Microsoft seemingly winding down in preparation for the newly launched Security Updates Guide database that will become the monthly patch Tuesday resource as of next month.
This move on the face of things looks like a good idea, but how will this be perceived by businesses that are used to choosing their updates? This new practice changes the way information is referenced and will most certainly cause a headache for IT administrators who will have to rethink their whole patch management procedure.
James Rowney, Service Manager for Verismic said, “When I first read about this last year, I couldn’t believe that Microsoft were taking such a valiant step towards forcing updates. This really feels like Microsoft is taking an intermediary step towards mimicking the Apple approach of just applying a updates / patches without notification. While this approach does seem to work for Apple I am not so sure that Microsoft has an OS stable enough to follow this practice just yet.”
Chrome coming into its own
Google announced at the end of 2016 that they would be marking web pages as unsecure if the page is not served using HTTPS and holds personal data like login details or financial input tables. These changes will only apply from Chrome revision 56 onwards so we can expect to see this take gradual effect as browsers update as opposed to a flick of a switch scenario.
[vc_single_image image=”11077″]
These changes go hand in hand with Google’s plan to encourage its users to adopt secure login methods. There are obvious pitfalls here as HTTPS doesn’t keep certificates or TLS liberties up to date and webmasters could also see negative movement on their Google rankings. However, this is generally a positive step forward.
Google recently announced that they hit a milestone where more than 50% of their desktop pages now load over HTTPS. Further information and the official notification can be referenced here.
To help your IT Security Officers, we have chosen one update from this Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.
MS17-003 – Late comer to this month’s releases is this security update to Adobe Flash Player, research indicates that this could have been a Zero Day release later in the week and affects all supported versions of Windows. The urgency to get this out shows the importance of this update, we recommend that this patch is rolled out with high priority at your earliest convenience.
The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.
Bulletin ID
Description
Impact
Restart Requirement
Severity
CVSS Score
MS17-001
Security Update for Microsoft Edge (3199709)
This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow an elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited this vulnerability could gain elevated permissions on the namespace directory of a vulnerable system and gain elevated privileges
Elevation of Privilege
Requires restart
Important
6.1
MS17-002
Security Update for Microsoft Office (3214291)
This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Remote Code Execution
May require restart
Critical
7.8
MS17-003
Security Update for Adobe Flash Player (3214628)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016
Remote Code Execution
May require restart
Critical
9.3
MS17-004
Security Update for Local Security Authority Subsystem Service (3216771)
A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system’s LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.
Ever watch the end of year “World’s dumbest criminals?” You know the ones: the handsome gentleman caught on camera robbing a convenience store while his sidekick fills out a lottery form complete with name and address.
Unfortunately, cybercriminals aren’t quite so easy to catch. With ransomware incomes hitting almost $1 billion in 2016, what you can expect in 2017 is continued reinvention and more growth in the world of cybercrime.
Kaspersky declared 2016 to be the year of ransomware. This financial malware victimizes users and forces them to pay significant amounts of money to release systems from a locked state. Small businesses faced eight times more ransomware attacks in the third quarter of 2016 than in the same quarter of the prior year. Hardly a day goes by without a new ransomware attack or variant making headlines. Witness just a few of the attacks in 2016:
October, San Francisco public transportation ticketing machines and transit stations taken offline.
Hollywood Presbyterian Medical Center in Los Angeles had its ambulances diverted and access to medical records, x-rays, and CT scans denied.
Madison County, Indiana, suffered a widespread ransomware attack that shut down virtually all county services.
In May, The University of Calgary was attacked by a ransomware that locked staff, students and faculty out of their emails.
If anything, cybercriminals are getting smarter. In late December 2016, federal prosecutors charged hackers with insider trading. Using data garnered from the computer systems of U.S. law firms that handle mergers, hackers manipulated the stock market to generate more than $4 million in illegal profits.
Many cyber-attacks could be avoided if IT departments adopted a regular patch-deployment process. What difference can a small patch make? What was once a small crack in defenses transforms into computer crashes, data leaks, and corruption. Zero-day attacks are cyber-attacks against software flaws that are previously unknown.
The wily hacker searches for and ultimately finds an error, a loop hole, made by the programmer. Whether the programmer worked on the Windows operating system, your internet browser, Flash, or the myriad of other programs you rely on every day, coders are bound to make mistakes. Criminals love it. Zero-day loop holes exploit that human error.
[vc_single_image image=”11077″]
Because they rely on known entities like malware signatures or URL reputation, standard organizational defenses like virus protection or firewalls are powerless against zero-day threats.
The cybercriminal leverages the unknown and uses the time between when the loophole is found, and the leak is patched to do as much irreparable damage as possible.
Usually, these types of threats are possible only with some end-user permission, such as clicking OK or downloading a file. In 2016, Adobe announced a bug that affected customers by exploiting a vulnerability in a browser’s Flash plug-in. In this case, infection occurred by simply looking at an infected Web page. Breathing easy because you don’t use Windows? Don’t. Updates are required for OS X and Linux operating systems, too.
Terrifying to think a single employee could click a link, access a website, or download software and expose the entire organization to risk.
Among the predictions for next year from an Intel Security McAfee Labs report are an increase in attempts of dronejackings, more intrusive mobile phone hackings and malware aimed at exploiting the Internet of Things. Hackers will become increasingly adept at bypassing existing corporate defenses, and ransomware remains a top concern. Other threats growing in 2017?
Watering hole attacks, laser focused attacks on high valued targets
Class action lawsuits against companies that fail to protect customer’s personal data
Distributed Denial of Service (DDoS) attacks like the ones that temporarily took down Amazon, Twitter,Netflix and others
In its fourth annual “Data Breach Industry Forecast” white paper, security company Experian says it takes constant vigilance to stay ahead of emerging threats and increasingly sophisticated cybercriminals. “While some tried and true attacks continue to serve as go-to methods for hackers, there are evolving tools and targets that are likely to become front-page news in 2017. Organizations can’t wait until an attack happens to ensure they are protected—they need to look at the signs early on to start preparing for new types of security threats,” the report said.
With the 2017 onslaught of vulnerabilities, you’ll need a wall of defenses – combating attacks on multiple fronts. Patch and keep operating systems, antivirus, browsers, Adobe Flash Player, Quicktime, Java, and other software up-to-date. According to a Barkly study, common security safeguards including email filtering, firewalls, and antivirus aren’t enough to stop cybercriminals. They found 95 percent of ransomware attacks can bypass firewalls, and 100 % bypassed antivirus protection. Be sure to double down on protection in 2017. Are you using an automated patch management system? Do you have an organized method of discovering, evaluating, and deploying software updates?
What’s one guaranteed prediction for 2017? Programmers will keep making small mistakes, and hackers will continue to turn them into big profits. Someone ends up the victim, don’t let it be your business.
Grab your hot chocolate and bundle up: it’s time to stay inside and catch up on the latest Microsoft updates. On this day of December, Microsoft sent to us … 12 bulletins. The holiday month has come around again, and like last year Microsoft have delivered 12 more bulletins to keep us safe.
Of the 12 bulletins, 6 are rated Critical and 6 are rated Important. Last week Microsoft also released 31 KB updates covering Office version 2013 and 2016. Full details of that release can be found here.
What do you know about Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)? Microsoft have announced that on 31st July 2018, it will be no longer supported. Why is EMET important? It’s important because it is a freeware security toolkit for Windows.
It provides a unified interface to enable and fine-tune Windows security features. It can be used as an extra layer of defense against malware attacks, after the firewall and before antivirus software.
[vc_single_image image=”11077″]
Robert Brown, Director of Services for Verismic says, “Microsoft have suggested Windows 10 has all the protection it needs and therefore no longer has a need for another layer of security.
Without EMET, customers will have a need greater than ever before to implement a patching policy. Does Windows 10 offer the same level of security? See for yourself here.”
This month to help your IT Security Officer we have chosen a few updates from the Microsoft Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.
MS16-144 – This update addresses the vulnerabilities by correcting how Microsoft browser and affected components handle objects in memory, Microsoft browser checks Same Origin Policy for scripts running inside Web Workers and Scripting engines handle objects in memory. As it is publically disclosed and is used by a great number of our customers, we would recommend this be a priority this month.
MS16-145 – An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. As it is publically disclosed and is used by a great number of our customers, we would recommend this be a priority this month.
MS16-146 – This security update addresses the vulnerabilities by correcting how the Windows GDI component handles objects in memory.
]MS16-154 – The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.
Number
Bulletin ID
Description
Impact
Restart Requirement
Publically Disclosed
Exploited
Severity
CVSS Score
1
MS16-144
Cumulative Security Update for Internet Explorer (3204059)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution
Yes
Yes
No
Critical
9.3
2
MS16-145
Cumulative Security Update for Microsoft Edge (3204062)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
Remote Code Execution
Yes
Yes
No
Critical
9.3
3
MS16-146
Security Update for Microsoft Graphics Component (3204066)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Remote Code Execution
Yes
No
No
Critical
9.3
4
MS16-147
Security Update for Microsoft Uniscribe (3204063)
This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Remote Code Execution
Yes
No
No
Critical
9.3
5
MS16-148
Security Update for Microsoft Office (3204068)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Remote Code Execution
Maybe
No
No
Critical
9.3
6
MS16-149
Security Update for Microsoft Windows (3205655)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.
Elevation of Privilege
Yes
No
No
Important
6.8
7
MS16-150
Security Update for Secure Kernel Mode (3205642)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).
Elevation of Privilege
Yes
No
No
Important
6.8
8
MS16-151
Security Update for Windows Kernel-Mode Drivers (3205651)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Elevation of Privilege
Yes
No
No
Important
7.2
9
MS16-152
Security Update for Windows Kernel (3199709)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.
Information Disclosure
Yes
No
No
Important
1.7
10
MS16-153
Security Update for Common Log File System Driver (3207328)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.
Information Disclosure
Yes
No
No
Important
7.2
11
MS16-154
Security Update for Adobe Flash Player (3209498)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
Remote Code Execution
Yes
NA
NA
Critical
NA
12
MS16-155
Security Update for .NET Framework (3205640)
This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.
Information Disclosure
Yes
Yes
No
Important
2.1
Get Started
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]
Today Microsoft have released 14 bulletins in total of which 6 are rated Critical and 8 are rated Important. Last week Microsoft also released 25 KB updates covering Office version 2010, 2013 and 2016.
Full details of that release can be found here. A couple months back we observed a trend where new age hackers were using old school techniques to expose a vulnerability in a system and to use that vulnerability to exploit malicious attacks. One of the newest features of Microsoft Office 2016 allows enterprise administrators to block users from running Macros inside Office documents that have originated from the Internet.
It does appear that Microsoft have also witnessed this trend and have made changes in order to protect their customers. We have also just learned that shortly they will be downgrading that functionality to Office 2013 enabling the same security to work in the same way it does in Office 2016. Robert Brown, Director of Services for Verismic says, “It’s great Microsoft are listening to their customers and their concerns.”
Office 2013 still has a massive market share with customers either unwilling or unable to upgrade quickly, offering this safety feature to Office 2013 will enable those customers to plan their upgrades properly and without the immediate urgency.
Microsoft are also adding detections for the BrowserModifier:Win32/Soctuseer rootkit in this month’s security release, helping to lessen interference to your browsing experience. No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT). We recommend our customers include this security update this within their monthly patching process, especially since it has been reported this month that one in three cyberattacks result in a security breach.
Twitter and Spotify “Dynied”
Shopping and social media sites were hit with a massive DDoS attack last week which caused three of the big names to be taken offline. Well known social media site Twitter and music sharing site Spotify are among the big names affected with many more suffering service disruptions. The focus of this attack was a company called Dyn who provide internet traffic to company websites as a service. It is believed by security analysts that the attack vector used “internet of things” as its way in.
For those not familiar, the internet of things or IoT is a term used to describe any user device which connects to the internet. Today’s IoT can be washing machines, heating controllers, IP CCTV, cars and even wireless baby monitors. Dyn provide a DNS service to large companies and was attacked using millions of devices commonly known as “bots” (unbeknown to the end user) on a “botnet” which were all infected with the “Mirai” malware.
The majority of these attacks originate in Asia and this DDoS was one was one of the largest out of China this year. Miari is a nasty little bug that trawls web for IoT devices with little or no protection and pre-set factory default access credentials. Once discovered, Mairi enlists the devices into its own botnet and proceeds to bombard targets with an overwhelming amount of requests / messages designed to overload the system and bring the website down. Cyber security expert Brian Krebs knows about this kind of attack all too well. A DDoS attack was launched on his site back in September with data overloads reaching 620 gigabits per second at its peak.
[vc_single_image image=”11071″]
James Rowney, Verismic Services Manager, commented “Attacks like these have been written into science fiction horror for decades, this is no longer science fiction, this is science fact. Be extra vigilant with your IT security.”
Set all network connected devices to use secure UserID and passwords, this is the first step to protecting yourself from being exploited in this manner.. If possible try to disconnect or power off devices that are not in use, might save you some electricity too!”
This month to help your IT Security Officers we have chosen a few updates from the Microsoft Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.
MS16-129 – The update addresses the vulnerabilities by modifying how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory and correcting how Microsoft Edge parses HTTP responses. This vulnerability has been publicly disclosed.
MS16-130 – The security update addresses the vulnerabilities by correcting how the Windows Input Method Editor (IME) loads DLLs requiring hardened UNC paths be used in scheduled tasks
MS16-132 – This update is actively being exploited which is why we recommend this be deployed as a priority this month. The security update addresses the vulnerabilities by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.
MS16-135 – Although this update is only marked as Important, the CVSS score tells us otherwise. It is also publically disclosed and has active exploits. We believe this should also be your priority this month.
The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.
Bulletin ID
Description
Impact
Restart Requirement
Publically Disclosed
Exploited
Severity
CVSS Score
MS16-129
Cumulative Security Update for Microsoft Edge (3199057)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
Remote Code Execution
Yes
Yes
No
Critical
9.3
MS16-130
Security Update for Microsoft Windows (3199172)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a locally authenticated attacker runs a specially crafted application.
Remote Code Execution
Yes
No
No
Critical
9.3
MS16-131
Security Update for Microsoft Video Control (3199151)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.
Remote Code Execution
Yes
No
No
Critical
9.3
MS16-132
Security Update for Microsoft Graphics Component (3199120)
This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution
Yes
No
Yes
Critical
9.3
MS16-133
Security Update for Microsoft Office (3199168)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Remote Code Execution
Maybe
No
No
Important
9.3
MS16-134
Security Update for Common Log File System Driver (3193706)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.
Elevation of Privilege
Yes
No
No
Important
7.2
MS16-135
Security Update for Windows Kernel-Mode Drivers (3199135)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Elevation of Privilege
Yes
Yes
Yes
Important
7.2
MS16-136
Security Update for SQL Server (3199641)
This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The security update addresses these most severe vulnerabilities by correcting how SQL Server handles pointer casting.
Elevation of Privilege
Maybe
No
No
Important
9.0
MS16-137
Security Update for Windows Authentication Methods (3199173)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then install programs; view, change or delete data; or create new accounts. The attacker could subsequently attempt to elevate by locally executing a specially crafted application designed to manipulate NTLM password change requests.
Elevation of Privilege
Yes
No
No
Important
7.2
MS16-138
Security Update to Microsoft Virtual Hard Disk Driver (3199647)
This security update resolves vulnerabilities in Microsoft Windows. The Windows Virtual Hard Disk Driver improperly handles user access to certain files. An attacker could manipulate files in locations not intended to be available to the user by exploiting this vulnerability.
Elevation of Privilege
Yes
No
No
Important
NA
MS16-139
Security Update for Windows Kernel (3199720)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.
Elevation of Privilege
Yes
No
No
Important
7.2
MS16-140
Security Update for Boot Manager (3193479)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.
Security Feature Bypass
Yes
No
No
Important
1.7
MS16-141
Security Update for Adobe Flash Player (3202790)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
Remote Code Execution
Yes
NA
NA
Critical
NA
MS16-142
Cumulative Security Update for Internet Explorer (3198467)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution
Yes
Yes
No
Critical
9.3
[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]
Get Started
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
Today Microsoft have released 10 bulletins in total of which 5 are rated Critical, 4 are rated Important and a single is rated Moderate. Our clients need to be aware of a change in release strategy announced by Microsoft today which has been branded ‘patchocalypse’ by many Microsoft users. Their aim is to combine all updates into a single deployment package instead of issuing individual patches to remediate individual vulnerabilities, however it is not envisaged that all parts of their anticipated “rollup” be completed until early 2017.
However, we do not expect this to be a major disadvantage. It offers a major improvement in efficiency as it means less content to scan and less singular patch binaries to deploy throughout your environment, which in turn makes securing your environment easier – something which is already being done on the Windows 10 operating systems.
One of the downsides we can see is the ability to “rollback” an individual patch should an issue occur. In this new form, if any patch causes an issue on your systems then the only choice you have is to exclude the entire rollup. Robert Brown, Director of Services for Verismic says, “This is a really challenging time for an IT Security Officer. On the one hand you have to balance the safety of your network, and on the other you have to ensure any deployments do not significantly impact your helpdesk with undesired negative issues caused by that patch deployment. You may delay a while to see if any issues become public but in our experience, nothing beats a rigorous & transparent test plan.” Further details of this process can be found here.
Microsoft Office KB Updates
Last week Microsoft released 17 KB updates covering Office versions 2013 & 2016. This is one of the smallest releases we have seen for a while, possibly due because of the amount of work Microsoft have been spending to prepare for the patch rollup process above. Full details of that release can be found here.
[vc_single_image image=”11058″]
Urgent Adobe Flash Update Needed
Earlier this week Adobe have released a patch called APSB16-25 to resolve issues with Flash Player on both Windows, OS X and Linux which allows attackers to execute arbitrary code via unspecified vectors. This vulnerability has been rated CVSS 10, if you have not already made preparations to deploy this update please start those immediately without delay. This particular vulnerability is a nasty one as it can exploit your systems over a network and does not require any authentication – meaning any user at any time.
Cumulative Security Update for Internet Explorer (3192887)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution
Yes
No
Yes
Critical
9.3
MS16-119
Cumulative Security Update for Microsoft Edge (3192890)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
Remote Code Execution
Yes
No
Yes
Critical
9.3
MS16-120
Security Update for Microsoft Graphics Component (3192884)
This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, Silverlight, and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Remote Code Execution
Yes
No
Yes
Critical
9.3
MS16-121
Security Update for Microsoft Office (3194063)
This security update resolves a vulnerability in Microsoft Office. An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
Remote Code Execution
Maybe
No
Yes
Critical
9.3
MS16-122
Security Update for Microsoft Video Control (3195360)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.
Remote Code Execution
Yes
No
No
Critical
9.3
MS16-123
Security Update for Windows Kernel-Mode Drivers (3192892)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
Elevation of Privilege
Yes
No
No
Critical
7.2
MS16-124
Security Update for Windows Registry (3193227)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.
Elevation of Privilege
Yes
No
No
Important
1.7
MS16-125
Security Update for Diagnostics Hub (3193229)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Elevation of Privilege
Yes
No
No
Important
7.2
MS16-126
Security Update for Microsoft Internet Messaging API (3196067)
This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk.
Information Disclosure
Yes
No
Yes
Moderate
4.3
MS16-127
Security Update for Adobe Flash Player (3194343)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
In this month’s patch updates from Microsoft there’s a total of 11 bulletins – four Critical and seven Important – covering 26 separate vulnerabilities. “We’re going to look at each of the four Critical updates in turn”, says Robert Brown, Director of Services at Verismic.
The first of the Critical updates from Microsoft, MS15-032, covers 10 separate vulnerabilities in Internet Explorer – nine of which are the most severe and can allow for remote code execution. However, there are two other Critical updates that you should be paying attention to – MS15-033 and MS15-034.
MS15-033 addresses five separate vulnerabilities in Microsoft Office, all of which could allow remote code execution. If that doesn’t encourage you to apply this patch, perhaps you should consider that one of the vulnerabilities within the update is currently being exploited in the wild. This is the only vulnerability in this month’s update that is known to be actively exploited.
The third Critical vulnerability has a CVSS of 10.0 from US-CERT, which is the highest rating possible. This patch should be your first priority above all others. Although the likelihood of this vulnerability being exploited is low it is a credible threat to your business and the potential damage it could cause is massive. The vulnerability can be exploited if an attacker sends a specially crafted HTTP request to an affected Windows system. Unlike the other Critical patches this month, MS15-034 requires no user interaction whatsoever, which makes it so dangerous.
The final Critical bulletin for April, like the first two this month, has a CVSS of 9.3. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.
The remaining Important bulletins address vulnerabilities that could allow elevation of privilege, bypassing security features, information disclosures, and denial of service vulnerabilities.
Once you’ve prioritised your patches, I would always advise that you stage your roll out by testing and piloting the updates before deploying widely. This will help identify any compatibility issues. This should be done as standard each month, which is something we’ll always do for customers and MSPs through Syxsense.
Update no.
CVSS Score
Microsoft rating
Affected software
Details
MS15-034
10.0
Critical
Microsoft Windows
Vulnerability in HTTP.sys could allow remote code execution
MS15-032
9.3
Critical
Microsoft Windows, Internet Explorer
Cumulative security update for Internet Explorer
MS15-033
9.3
Critical
Microsoft Office
Vulnerabilities in Microsoft Office could allow remote code execution
MS15-035
9.3
Critical
Microsoft Windows
Vulnerability in Microsoft Graphics Component could allow remote code execution
MS15-038
7.2
Important
Microsoft Windows
Vulnerabilities in Microsoft Windows could allow elevation of privilege
MS15-037
6.9
Important
Microsoft Windows
Vulnerability in Windows Task Scheduler could allow elevation of privilege
MS15-036
4.3
Important
Microsoft Server Software, Productivity Software
Vulnerability in Microsoft SharePoint Server could allow elevation of privilege
MS15-039
4.3
Important
Microsoft Windows
Vulnerability in XML Core Services could allow security bypass feature
MS15-042
2.7
Important
Microsoft Windows
Vulnerability in Hyper-V could allow denial of service
MS15-041
2.6
Important
Microsoft Windows, Microsoft .NET Framework
Vulnerability in .NET Framework could allow information disclosure
MS15-040
1.9
Important
Microsoft Windows
Vulnerability in Active Directory Federation Services could allow information disclosure