In its first Patch Tuesday update of 2016, Microsoft released nine updates to address vulnerabilities across various products, which exploitation of some could allow a remote attacker to take over an affected system.
“Microsoft isn’t messing around with the first Patch Tuesday of 2016,” said Russ Ernst, Senior Director, Product Management, HEAT Software. “Today’s release of 9 bulletins, 6 critical and 3 important, include the last available updates for the 2012 disaster that was Windows 8 – not 8.1 – and Internet Explorer versions 8, 9 and 10.”
“In total, January addresses 25 CVEs, 2 of which are critical, cumulative updates for IE in MS16-001. CVE-2016-0002 is shared with MS16-003, a scripting engine memory corruption vulnerability which could result in a remote code execution if a user visits a specially crafted webpage using IE,” Ernst said.
“MS16-004 is another critical update that impacts Office on Mac. If you’re using Mac or operating a heterogeneous environment, cross-platform vulnerabilities are out there and must be patched quickly,” Ernst added.
“MS16-10 should be on the top of all Outlook Web Access (OWA) administrators,” Craig Young, security researcher for Tripwire's Vulnerability and Exposure Research Team, told SecurityWeek. “This patch closes three vulnerabilities that could lead to significant and direct financial losses through so called business e-mail compromise (BEC).”
“If you're looking for patches to prioritize this month, Internet Explorer is likely at the top of your list. If you happen to be on Windows 10, you can add Edge to that list as well. Enterprises should definitely be aware of the Exchange update, since attackers can target users remotely,” added Tyler Reguly, security researcher and manager of Tripwire's Vulnerability and Exposure Research Team.
“Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded,” said Chris Goettl, product manager with Shavlik.
Experts suggested that those still using IE should update to E 11 or migrate to Edge.
For organizations that cannot make switch to IE 11 right now, Tripwire security experts offered the following advice:
• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.
• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.
• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.
“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”
Goettl also reminded that Oracle is gearing up for its quarterly CPU, expected to be released next Tuesday, January 19.