Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Issues Nine Security Bulletins in First Update of 2016

In its first Patch Tuesday update of 2016, Microsoft released nine updates to address vulnerabilities across various products, which exploitation of some could allow a remote attacker to take over an affected system. 

In its first Patch Tuesday update of 2016, Microsoft released nine updates to address vulnerabilities across various products, which exploitation of some could allow a remote attacker to take over an affected system. 

“Microsoft isn’t messing around with the first Patch Tuesday of 2016,” said Russ Ernst, Senior Director, Product Management, HEAT Software. “Today’s release of 9 bulletins, 6 critical and 3 important, include the last available updates for the 2012 disaster that was Windows 8 – not 8.1 – and Internet Explorer versions 8, 9 and 10.”  

“In total, January addresses 25 CVEs, 2 of which are critical, cumulative updates for IE in MS16-001. CVE-2016-0002 is shared with MS16-003, a scripting engine memory corruption vulnerability which could result in a remote code execution if a user visits a specially crafted webpage using IE,” Ernst said.

MS16-004 is another critical update that impacts Office on Mac. If you’re using Mac or operating a heterogeneous environment, cross-platform vulnerabilities are out there and must be patched quickly,” Ernst added.

MS16-10 should be on the top of all Outlook Web Access (OWA) administrators,” Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team, told SecurityWeek. “This patch closes three vulnerabilities that could lead to significant and direct financial losses through so called business e-mail compromise (BEC).”

“If you’re looking for patches to prioritize this month, Internet Explorer is likely at the top of your list. If you happen to be on Windows 10, you can add Edge to that list as well. Enterprises should definitely be aware of the Exchange update, since attackers can target users remotely,” added Tyler Reguly, security researcher and manager of Tripwire’s Vulnerability and Exposure Research Team.

“Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded,” said Chris Goettl, product manager with Shavlik.

Experts suggested that those still using IE should update to E 11 or migrate to Edge.

Advertisement. Scroll to continue reading.

For organizations that cannot make switch to IE 11 right now, Tripwire security experts offered the following advice:  

• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.

• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.

• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.  

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Adobe also today released its first series of security updates for 2016 to patch vulnerabilities affecting the company’s Acrobat and Reader products. Most of the security holes patched in Adobe Acrobat and Reader are use-after-free, double-free and memory corruption vulnerabilities that can be exploited for arbitrary code execution. The updates also fix a JavaScript API execution restriction bypass, and a code execution issue in Adobe Download Manager related to the directory search path used to find resources. 

 

Goettl also reminded that Oracle is gearing up for its quarterly CPU, expected to be released next Tuesday, January 19.

RelatedInternet Explorer 8, 9, 10 Lose Security Updates This Month

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.