blog

April Patch Tuesday: Badlock, Zero-Day, Ransomware Keep Us On Our Toes

Internet security

Robert BrownJust as dreams of summer vacation begin to occupy our thoughts, a nest of security risks crops up. This month’s Patch Tuesday consists of 13 security bulletins, six rated Critical and seven Important, remediating a total of 29 vulnerabilities.

One of the Critical bulletins, MS16-050, resolves nine vulnerabilities in Adobe Flash and was also released by Adobe as a Zero-Day update. We have nine remote-code execution and two elevation-of-privilege vulnerabilities, which should be marked Critical for any organization.

All 13 patches recommend a reboot to ensure remediation of the vulnerability; unfortunately, this might be a headache for admins and partners. Verismic suggests making the following vulnerabilities a priority this month based on vendor severity and CVSS scores: MS16-050, MS16,044, MS16-037/038 and 039.

2 Patch Tuesdays a Month?

When Microsoft announced that it is dividing Patch Tuesday into two segments, I have no doubt that partner technical leads and IT department heads pondered the question: Do we really need two Patch Tuesdays a month?

To make the process more palatable, Microsoft will provide feature and product updates on the first Tuesday, followed by security updates on the second Tuesday.

Let’s face it, it has to be better than last month’s situation of Office updates released over a course of 11 days.

The dividing of Patch Tuesday spawned a mammoth first release of non-security updates on April 5, with approximately 40 updates published for Office 2010, 2013 and 2016. Nothing was released for 2007, but Microsoft has yet to publish its official list.

We anticipate that if this strategy works for Office, operating systems will follow. It could mark the end of the standard Patch Tuesday — and added workload for partners and IT administrators.

More information and customer comments can be found on Microsoft Technet, here.

Zero-Day Threat Impacts All Versions of Flash

On April 8, Adobe announced a bug that is affecting customers in the wild by exploiting a vulnerability in a browser’s Flash plug-in. What makes this vulnerability so serious is that an end user only needs to access a website to become infected. To make matters worse, the malware could hand over complete control of a system to the attacker. A zero-day fix has been produced to address the issue.

Usually, these types of threats are possible only with some end-user permission, such as clicking OK or downloading a file. This vulnerability can cause infection by simply looking at an infected Web page.  

Don’t think that if you’re not using Windows that you have a free pass — updates are required for OS X and Linux operating systems, too. I strongly recommend taking this very seriously.

Ransomware: Does ‘Severity’ Mean ‘Priority’?

We’ve seen a rise in ransomware and backdoor malware impacting large organizations. Ransomware forces the affected end user or business to pay significant amounts of money to release systems from the locked state. Often, infected systems are not operational and cannot be cleaned with a traditional antivirus solution. Infection is commonly caused by what the industry calls “drops” delivered via innocent-looking emails and messages on websites asking users to click links or download software.

Following the drop, the infected system calls out to the Internet and waits for the attacker to access the PC and set the ransom. Teaching users not to click links, access websites or download untrusted software are the most cost-effective forms of defense. These simple practices minimize most risks associated with this type of threat. Ransomware has a hard time infecting systems without user interaction.

Unfortunately, education isn’t always effective — last year, ransomware cost victims more than $18 million The ransom fees varied from $200 to $10,000.

Recently, I noticed several cases when this type of vulnerability could have been avoided if the IT department had adopted a regular patch-deployment process. Even so, businesses that have adopted a regular patching process still become affected. The question is, Why did they remain susceptible? I wonder, are security officers using patch severity level alone when deciding which patches to apply immediately? Could this be a root cause?

Our research indicates that remote-code execution flaws offer ransomware purveyors the most opportunities to infect systems by targeting specific flaws in software or programs. My advice: Apply immediately any patch that fixes a remote-code execution.

In the latest 13 bulletins released by Microsoft, there are a total of nine remote-code execution vulnerability types. There is a good chance that one of these is being used to deploy the so-called drops on unpatched systems.

Also note that there is a general misconception that Apple’s Mac OS is not as prone to cyberinfections as Windows. This rings true for viruses, but malware and ransomware are on the increase for Macs. For example, more than 6,000 users of an app were affected on a single weekend when an attack tampered with the BitTorrent client code. By using a stolen developer certificate and re-signing the Transmission app, the built-in gatekeeper protection was bypassed.

There is no doubt that Mac OS ransomware will continue to pop up as attackers search for new and better ways to entrap users. While Apple’s Gatekeeper usually stops untrusted applications, it’s advisable to download only vetted apps from Apple’s App Store.

Patches:

MS16-037 & MS16-038 resolve six vulnerabilities each for Internet Explorer and Edge; the flaws could allow remote-code execution if a user views a specially crafted Web page using Internet Explorer. Note that a specially crafted Web page is increasingly becoming the tool of choice for the dispersal of ransomware.

MS16-039 resolves four vulnerabilities in .NET Framework, Microsoft Office, Skype for Business and Microsoft Lync. If users open a specially crafted document or visit a Web page that contains specially crafted embedded fonts, they could infect their systems if they have local admin access.

MS16-040 resolves a vulnerability that could allow remote-code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. When in control, depending on the user’s network privileges, the attacker could access data and or install further applications, including malware.

MS16-041 resolves a vulnerability in the Microsoft .NET Framework. A malicious application could be a Trojan or similar program designed for even greater infiltration of the system and potentially to steal data.

MS16-042 resolves four vulnerabilities in Microsoft Office that could allow remote-code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploits the vulnerabilities could run arbitrary code in the context of the current user. The attacker gains full control of the device and access to other machines across the network.

MS16-044 resolves a vulnerability in Microsoft Windows that could allow remote-code execution if Windows OLE fails to validate user input properly. Users become open to attack once they are convinced to click on a malicious URL or visit a malicious Web page.

MS16-045 resolves three vulnerabilities in Microsoft Hyper-V. The most severe of the vulnerabilities could allow remote-code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Users that do not have the Hyper-V role installed are not affected by this vulnerability.

MS16-046 resolves a vulnerability where an attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. This vulnerability is classified as Important by Microsoft and affects all versions of Windows 10. 

MS16-047 resolves vulnerabilities in Microsoft Windows that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user. A man-in-the-middle attack occurs when an attacker re-routes communication between two users through the attacker’s computer without the knowledge of the two communicating users. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker while thinking they are communicating only with the intended user.

MS16-048 could allow security-feature bypass if an attacker logs on to a target system and runs a specially crafted application. The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.

MS16-049 resolves a vulnerability in the HTTP protocol stack that could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.

MS16-050 resolves multiple vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10. This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. It will no doubt have a mirrored release from Adobe in it Patch Tuesday bulletin.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0 to 10.0 are High, those in the range 4.0 to 6.9 are rated Medium, and 0 to 3.9 are considered Low.

Updates:

MS16-037: Cumulative Security Update for Internet Explorer (3148531)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged-on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs, as well as view, change, or delete data, and even create new accounts with full user rights.

MS16-038: Cumulative Security Update for Microsoft Edge (3148532)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted web page using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-039: Security Update for Microsoft Graphics Component (3148522)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a web page that contains specially crafted embedded fonts.

MS16-040: Security Update for Microsoft XML Core Services (3148541)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote-code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.

MS16-041: Security Update for .NET Framework (3148789)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 9.3)

This security update resolves a vulnerability in the Microsoft .NET Framework. The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.

MS16-042: Security Update for Microsoft Office (3148775)
(Restart: May Require Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 9.3)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker, who successfully exploited the vulnerabilities, could run arbitrary code in the context of the current user. Customers, whose accounts are configured to have fewer user rights on the system, could be less impacted than those who operate with administrative user rights.

MS16-044: Security Update for Windows OLE (3146706)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 9.3)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote-code execution if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. However, an attacker must first convince a user to open either a specially crafted file or a program from either a Web page or an email message.

MS16-045: Security Update for Windows Hyper-V (3143118)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Important, CVSS Score: 7.4)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote-code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

MS16-046: Security Update for Secondary Logon (3148538)
(Restart: Requires Restart, Vulnerability Impact: Elevation of Privilege, Severity: Important, CVSS Score: 7.2)

This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.

MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527)
(Restart: Requires Restart, Vulnerability Impact: Elevation of Privilege, Severity: Important, CVSS Score: 4.3)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM and LSAD channels and impersonate an authenticated user.

MS16-048: Security Update for CSRSS (3148528)
(Restart: Requires Restart, Vulnerability Impact: Security Feature Bypass, Severity: Important, CVSS Score: 7.2)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.

MS16-049: Security Update for HTTP.sys (3148795)
(Restart: Requires Restart, Vulnerability Impact: Denial of Service, Severity: Important, CVSS Score: 7.8)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.

MS16-050: Security Update for Adobe Flash Player (3154132)
(Restart: Requires Restart, Vulnerability Impact: Remote Code Execution, Severity: Critical, CVSS Score: 10)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1 and Windows 10.

Robert Brown is the director of services at Verismic, a global leader in cloud IT management technology, green solutions and business network software systems.


Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 53149