Redmond released 13 security bulletins on yesterday’s Patch Tuesday. Six of them are rated as critical because they allow a hacker to execute malicious code on a machine from a remote location.
The critical flaws are in Internet Explorer (IE), Microsoft Edge, Windows PDF Library, Windows Journal, Microsoft Office, and Adobe Flash Player. Seven of the bulletins, which address WebDAV, Remote Desktop Display Driver, Windows Kernel-Mode Drivers, .NET Framework, Active Directory Federation Services, NPS RADIUS Server, are rated important.
A Warning to IE Users
Patch Tuesday was game day for reverse engineers and exploit kit developers, Lane Thames, a researcher at advanced threat detection firm Tripwire, told us through a spokesperson. He said he expected both groups to analyze the February IE patches in MS16-009 so they can write exploits that target IE7 and IE8 users. Microsoft ended support for both versions of the Web browser last month.
“Users of these now highly vulnerable browsers should exercise extreme caution and plan to upgrade their systems as soon as possible,” Thames said. “Enterprise organizations that require these browsers due to legacy applications must ensure that these systems do not have access to external or untrusted Web sites.”
Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10. Version 11 provides better security, better performance and backward compatibility, according to Microsoft.
Adobe Gets Its Own Bulletin
Also this month, Adobe Flash Player embedded within Microsoft IE and Edge has finally received its own bulletin, according to Tyler Reguly, a researcher at Tripwire. He called the update a welcome change, which he hopes bodes well for other areas within Microsoft’s software portfolio.
“Active Directory Federation Services has seen increased usage across enterprises rolling out two-factor authentication,” Reguly added. “The vulnerability fixed in MS16-020 could mean increased downtime for said enterprises. This should likely rank high on the list of bulletins that enterprises will want to quickly test and deploy.”
A Dozen RCEs This Year
Yesterday’s Patch Tuesday marked the 12th remote code execution (RCE) bug Microsoft has patched in Windows Journal in just 10 months. This is particularly interesting because before 2015, Windows Journal vulnerabilities were basically unheard of, said Craig Young, a researcher at Tripwire.
“While the increased scrutiny of Windows Journal may be an indication of Microsoft’s successes in the tablet space, it is important to remember that the flaw is not limited to tablets,” he said. “In fact every piece of software installed on a computer adds to the potential attack surface even if that software is not frequently used.”