Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Issues Nine Security Bulletins in First Update of 2016

In its first Patch Tuesday update of 2016, Microsoft released nine updates to address vulnerabilities across various products, which exploitation of some could allow a remote attacker to take over an affected system. 

In its first Patch Tuesday update of 2016, Microsoft released nine updates to address vulnerabilities across various products, which exploitation of some could allow a remote attacker to take over an affected system. 

“Microsoft isn’t messing around with the first Patch Tuesday of 2016,” said Russ Ernst, Senior Director, Product Management, HEAT Software. “Today’s release of 9 bulletins, 6 critical and 3 important, include the last available updates for the 2012 disaster that was Windows 8 – not 8.1 – and Internet Explorer versions 8, 9 and 10.”  

“In total, January addresses 25 CVEs, 2 of which are critical, cumulative updates for IE in MS16-001. CVE-2016-0002 is shared with MS16-003, a scripting engine memory corruption vulnerability which could result in a remote code execution if a user visits a specially crafted webpage using IE,” Ernst said.

MS16-004 is another critical update that impacts Office on Mac. If you’re using Mac or operating a heterogeneous environment, cross-platform vulnerabilities are out there and must be patched quickly,” Ernst added.

MS16-10 should be on the top of all Outlook Web Access (OWA) administrators,” Craig Young, security researcher for Tripwire’s Vulnerability and Exposure Research Team, told SecurityWeek. “This patch closes three vulnerabilities that could lead to significant and direct financial losses through so called business e-mail compromise (BEC).”

“If you’re looking for patches to prioritize this month, Internet Explorer is likely at the top of your list. If you happen to be on Windows 10, you can add Edge to that list as well. Enterprises should definitely be aware of the Exchange update, since attackers can target users remotely,” added Tyler Reguly, security researcher and manager of Tripwire’s Vulnerability and Exposure Research Team.

“Also of note on the Microsoft side is an advisory deprecating the SHA-1 hashing algorithm and product end of lifes for Internet Explorer and Windows XP Embedded,” said Chris Goettl, product manager with Shavlik.

Experts suggested that those still using IE should update to E 11 or migrate to Edge.

For organizations that cannot make switch to IE 11 right now, Tripwire security experts offered the following advice:  

• Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks.

• Businesses with application requirements for older Web browsers should block browsing from vulnerable systems. This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web.

• IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.  

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Adobe also today released its first series of security updates for 2016 to patch vulnerabilities affecting the company’s Acrobat and Reader products. Most of the security holes patched in Adobe Acrobat and Reader are use-after-free, double-free and memory corruption vulnerabilities that can be exploited for arbitrary code execution. The updates also fix a JavaScript API execution restriction bypass, and a code execution issue in Adobe Download Manager related to the directory search path used to find resources. 

 

Goettl also reminded that Oracle is gearing up for its quarterly CPU, expected to be released next Tuesday, January 19.

RelatedInternet Explorer 8, 9, 10 Lose Security Updates This Month

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.