Jump to content

Microsoft Unleashes 13 Bulletins, Six Critical


Recommended Posts

I'm going to start posting these the night of both the Office updates sent out on the first week of the month, and the regular Windows performance and security updates on the second Tuesday of each month, which is today for April.


This is a report on what vulnerabilities were patched, whether they are critical or not, and hopefully, those with limited bandwidth can make a special effort to get to a Free WiFi place for serious updates like today's critical patches.




"Microsoft today released a lucky 13 bulletins for April, with six rated critical and the others important. In total, Microsoft patched 29 unique CVEs for this round, with the most anticipated patch tied to Badlock.


Microsoft addressed a number of critical browser vulnerabilities found in Internet Explorer and Edge. In the case of IE, Microsoft warned (MS16-037) the browser could allow remote code execution if a user views a specially crafted webpage.


As for the Edge (MS16-038) bulletin, Microsoft said it has fixed a vulnerability tied to the way the browser handles objects in memory and how it handles cross-domain policies. Either could give attackers the same user rights as the current user and allow for remote code execution.


Other impacted software for the remaining critical patches include Adobe Flash Player (MS16-050), Microsoft Office (MS16-042), Microsoft XML Core Services (MS16-040) and Microsoft Graphics Component (MS16-039).


Celebrity vulnerability Badlock was the most anticipated of the lot. The vulnerability (MS16-047) is a man-in-the-middle attack that targets Remote Procedure Call traffic and allows attackers to force a downgrade of the authentication level of the SAM and LSAD channels, and then allow an attacker to impersonate an authenticated user. Badlock, despite the hype, fell flat and was rated only important by Microsoft.


More critical bulletin was in Microsoft Office (MS16-042) that allowed an attacker to cook-up a special Microsoft Office file that if opened would unleash an attack allowing for arbitrary code run on a targeted system.


Perennial vulnerability candidate Adobe Flash Player also received a critical (MS16-050) update. This security update resolved issues tied to the way the player installed on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Microsoft would only say the update fixed Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.


Another critical update (MS16-040) is tied to Microsoft XML Core Service, a set of services that allow applications written in Jscript, VBScript and Microsoft development tools to be used together to build Windows-native XML-based applications. Microsoft said the vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system.


The last critical vulnerability mentioned is tied to Microsoft Graphics Component (MS16-039) and the way the feature interacts with Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. Microsoft said it fixed how the Windows font library handles embedded fonts. It wrote, a specially crafted document could allow for remote code execution. It also noted, if a webpage contained a specially crafted embedded font, it could be game over for an Office user who would then be vulnerable to a remote attack.


Important patches addressed a denial of service vulnerability flaw found in way Microsoft handles HTTP.sys (MS16-049). Another important fix addressed a Client/Server Run-Time Subsystem flaw (MS16-048) that could allow security features to be bypassed if an attacker logs on to a targeted system and runs a specially crafted application.


Microsoft also said important updates included (MS16-046), a Secondary Logon flaw that could allow an attacker to run arbitrary code as an administrator. Of interest to enterprise customers, was the important update that fixed Windows Hyper-V virtualization software (MS16-045). According to Microsoft the vulnerability allowed attackers to create specially designed application that cause the Hyper-V software to run arbitrary code.


The last two include important vulnerabilities related to Microsoft Windows OLE (MS16-044) and .NET Framework (MS16-041). In the case of the Microsoft Windows OLE flaw, the vulnerability could allow an attacker to execute malicious software on a targeted system after the victim was tricked into clicking on a specially crafted program embedded in an email or website. In the case of the .NET Framework vulnerability, an attacker could gain local system access if a victim launched a malicious application."


Those MS info links that look like this (MS16-044) are hot links in the original article here: https://threatpost.com/microsoft-unleashes-13-bulletins-six-critical/117356/


This is a critical update batch for those who would normally wait I would suggest not. I have just done this batch of updates today on my 9 computers here, all Windows 10, and all different tablets, desktops, laptops, mini desktops All In ONe desktops and a tower desktop. Some were AMD processors most are Intel i5 and 7, and several Atom tablets. They are both 32bit and 64 bit, 2GB RAM 4GB RAM and 8GB RAM. I doubt others here have that variety of machines at their disposal. So far no issues with any of them running the patches.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...