Adobe Patch Tuesday - February 2016
APSB16-03: Adobe Photoshop CC and Bridge CC
3 critical vulnerabilities that could lead to code execution with a priority rating of 3 (low): CVE-2016-0951, CVE-2016-0952, CVE-2016-0953. You may have to download the updates directly from Adobe as they will not show up in Creative Cloud Packager!
22 critical vulnerabilities that could lead to code execution. The priority rating is 1 for Flash Player (including the Flash Player embedded in Chrome/Edge/Internet Explorer 11) .
APSB16-05: Adobe Experience Manager
4 important vulnerabilities that could lead to information disclosure. This includes fixes for the Java deserialization issues.
3 important vulnerabilities that lead to input validation and content spoofing issues. (including cross site request forgery). The priority rating for this update is 1 (low).
Microsoft February 2016 Patch Tuesday
Overview of the February 2016 Microsoft patches and their status.
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS16-009 | Cumulative Security Update for Internet Explorer (Replaces MS16-001 ) | |||||
|
Internet Explorer |
KB 3134220 | no. | Severity:Critical Exploitability: 1,2,1,1,1,1,1,1,1,3,4,1,3 |
Critical | Critical | |
| MS16-010 | MS16-010 was published as part of the January update. (Security Update in Microsoft Exchange Server to Address Spoofing (3124557)) | |||||
| MS16-011 | Cumulative Security Update for Microsoft Edge (Replaces KB3124266 ) | |||||
| Microsoft Edge CVE-2016-0060, CVE-2016-0061, CVE-2016-0062, CVE-2016-0077, CVE-2016-0080, CVE-2016-0084 |
KB 3134225 | no. | Severity:Critical Exploitability: 1,1,1,3,1,1 |
Critical | Critical | |
| MS16-012 | Remote Code Execution in PDF Library | |||||
| Microsoft Windows PDF Library CVE-2016-0058 CVE-2016-0046 |
KB 3138938 | no. | Severity:Critical Exploitability: 2,1 |
Critical | Critical | |
| MS16-013 | Remote Code Execution in Windows Journal (Replaces MS15-114 ) | |||||
| Windows Journal CVE-2016-0038 |
KB 3134811 | no. | Severity:Critical Exploitability: 2 |
Critical | Critical | |
| MS16-014 | Remote Code Execution in Microsoft Windows (Replaces MS16-007 ) | |||||
| DLL Loading / Kerberos CVE-2016-0040 CVE-2016-0041 CVE-2016-0042 CVE-2016-0044 CVE-2016-0049 |
KB 3134228 | no. | Severity:Important Exploitability: 2,2,1,3,2 |
Critical | Important | |
| MS16-015 | Remote Code Execution in Microsoft Office (Replaces MS16-004 ) | |||||
| Microsoft Office CVE-2016-0022 CVE-2016-0052 CVE-2016-0053 CVE-2016-0054 CVE-2016-0055 CVE-2016-0056 |
KB 3134226 | no. | Severity:Critical Exploitability: 1,3,1,1,1,1,1 |
Critical | Important | |
| MS16-016 | Elevation of Privilege Vulnerability in WebDAV (Replaces MS16-004 ) | |||||
| WebDAV CVE-2016-0051 |
KB 3136041 | no. | Severity:Important Exploitability: 2 |
Important | Important | |
| MS16-017 | Elevation of Privilege in Remote Desktop Display Driver (Replaces MS15-067 MS15-030 ) | |||||
| Remote Desktop CVE-2016-0036 |
KB 3134700 | no. | Severity:Important Exploitability: 2 |
Important | Important | |
| MS16-018 | Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS16-005 ) | |||||
| Kernel Mode Drivers CVE-2016-0048 |
KB 3136082 | no. | Severity:Important Exploitability: 1 |
Important | Important | |
| MS16-019 | Denial of Service in .Net Framework (Replaces MS12-025 ) | |||||
| .Net Framework CVE-2016-0033 CVE-2016-0047 |
KB 3137893 | no. | Severity:Important Exploitability: 3,2 |
Important | Important | |
| MS16-020 | Denial of Service Vulnerability in Active Directory Federation Service (Replaces MS12-040 ) | |||||
| Active Directory Federation Serivce CVE-2016-0037 |
KB 3134222 | no. | Severity:Important Exploitability: 3 |
Important | Important | |
| MS16-021 | Denial of Service Vulnerability in NPS RADIUS Server (Replaces MS15-007 ) | |||||
| Network Policy Server CVE-2016-0050 |
KB 3133043 | no. | Severity:Important Exploitability: 3 |
Important | Important | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
Out-of Order Java Update
Oracle released an emergency update for Java [1]. The nature of the flaw, and how the update fixes the flaw, is somewhat obscured. According to Oracle's advisory, the user would first have to install malicious software, then install Java. So it doesn't appear to be exploitable on any system that has Java already installed. The Oracle advisory also states that an exploit is complex.
At this point, I don't see a compelling reason to "rush out" this patch. Deal with it as part of your regular patch process. Some of the Microsoft patches to be released later today are likely more important.
[1] https://blogs.oracle.com/security/entry/security_alert_cve_2016_0603
Comments