Microsoft delivers major updates to Internet Explorer and Adobe Flash Player

windows pexels

This month Microsoft returns to form with 13 patches, with six rated as critical and the remaining seven rated as important. You'll notice that MS16-010 is missing -- that's because it was released last month on January 12th, with the standard January update cycle.

As always, I recommend a reboot after installing these updates, even if not explicitly required by Microsoft. In addition, some attention may be required on MS16-022 (the update to Adobe Flash Player) and the two kernel mode updates MS16-016 and MS16-018.

Shavlik is now producing a monthly infographic on Patch Tuesday which can be found here.

MS16-009 — Critical

Following Microsoft's usual patterns and practice, we begin the February Patch Tuesday release cycle with an update to Internet Explorer. MS16-009 addresses 13 reported vulnerabilities in Microsoft Internet Explorer 11, updating and replacing the first patch of the year (MS16-001). This update attempts to prevent a potential remote code execution scenario when a user visits a specially crafted web page. Given that this type of attack vector (or security vulnerability) is the most common weakness in a lot of organizations, make this Microsoft update a priority for your February patch cycle.

Microsoft has ended support for all legacy browsers as of last month (January). If you are running a Windows 7 (or more rarely an 8.x) platform, as each month passes it will become increasingly difficult and dangerous to manage these older browser versions. You can read more about Microsoft support and lifecycle policy here.

MS16-011 — Critical

Following on from this month's critical IE update, Microsoft has released MS16-011 to address six reported vulnerabilities in Microsoft Edge, which could potentially lead to a remote code execution scenario if a user opens a specially crafted web page. This update also addresses a number of memory handling and HTTPS security vulnerabilities. Add this update to your urgent patch release effort.

MS16-012 — Critical

MS16-012 attempts to address two reported vulnerabilities in the Microsoft Windows PDF library that could lead to a remote code execution scenario if specific Microsoft PDF API calls are not handled correctly. Interestingly, this update only affects modern Microsoft operating systems such as Windows 8.x, Windows 10 and Server 2012 Rx. This is contrary to the usual scenario where older systems are most at risk. Microsoft has not published any mitigating factors or workarounds for either of these two reported issues. Add this update to your standard patch deployment program.

MS16-013 — Critical

The next most important update for this February release is MS16-013. This patch to the Windows Journal system (.JNL files) could lead to a remote code execution scenario when a specially crafted JNL file is opened. This update affects all currently supported versions of Microsoft desktops and server platforms (32 and 64-bit). Microsoft has offered some advice on how to reduce the exposure through locking down access to JNL files. However, given the nature of this vulnerability, this is a "Patch Now" update from Microsoft.

MS16-015 — Critical

The second most important update for this patch cycle is MS16-015 which attempts to resolve seven reported vulnerabilities in Microsoft Office. This update is particularly urgent as several of the reported security issues relating to RTF files do not require any user interaction to trigger an attack on any vulnerable systems. In short, an attacker could send you an email with an attached RTF file, and just by receiving the email (without opening it or reading the attachment) your system could be compromised. This is a Patch Now update from Microsoft.

MS16-022 — Critical

Unusually for Microsoft, the final critical patch for this month's Patch Tuesday release does not deal with a Microsoft product. MS16-022 attempts to resolve 23 reported security vulnerabilities in Adobe Flash Player. For the last three years, Microsoft has been handling Adobe security patches via updates to Internet Explorer 10 and 11. Rolling up several security advisories into a single update, Microsoft has now changed how it addresses third party product updates. So actually, this patch is not so much an update to Flash, but an update to the Microsoft patch process. This is a "Patch Now" update from Microsoft.

MS16-014 — Important

MS16-014 is an important update to the Windows kernel that attempts to resolve seven reported issues that could lead to a potential remote code execution scenario. I think that this update would have been rated as critical by Microsoft if an attacker did not have to log on to the target system first. As with all system level updates, and especially with kernel-mode driver patches, MS16-014 needs some in-depth testing before deployment. Add this update to your standard patching schedule.

MS16-016 — Important

MS16-016 addresses a single reported vulnerability in the Microsoft WebDAV folder sharing component. WebDAV has generally fallen out of favor for most enterprises, and I expect that the exposure to this vulnerability is low or very low for most organizations. Add this update to your standard patch deployment effort.

MS16-017 — Important

MS16-017 is an important update that affects all modern Microsoft desktop and server platforms. This patch attempts to address a single, privately reported vulnerability in the desktop sharing RDP protocol. However,  unless you are exposing RDP to the internet (without a VPN) this should not pose a major security threat to your enterprise. Add this update to your standard patch deployment effort.

MS16-018 — Important

MS16-018 is an important update from Microsoft and the second update for this month to the Windows kernel driver sub-system. This update attempts to resolve seven reported issues that could lead to a potential remote code execution scenario. I think that this update would have been rated as critical by Microsoft if an attacker did not have to log on to the target system first. As with all system level updates, and especially with kernel-mode driver patches, MS16-018 needs some in-depth testing before deployment. Add this system level update to your standard patch effort.

MS16-019 — Important

MS16-019 attempts to address a single privately reported vulnerability in the Microsoft .NET framework (versions 2.x to 4.6) that could lead to a denial of service security issue. This is a big update, with a large number of files modified in this patch. Given the massive coverage of these changes, I would normally recommend an in-depth testing cycle. However, Microsoft has a very good record on delivering updates to the .NET framework, so add this update to your standard patch deployment effort.

MS16-020 — Important

MS16-020 addresses a single, privately reported vulnerability in Microsoft Active directory that could lead to a denial of service (DoS) security issue. This update appears to be relatively discrete with a small number of changes to non-core files. Add this update to your standard patch deployment effort.

MS16-021 — Important

MS16-021 attempts to resolve a single, privately reported DoS vulnerability in the Radius authentication system. This update contains a minor change to a single file. Add this update to your standard patch deployment effort.

Greg Lambert is an evangelist for Application Readiness, the online assessment and application conversion specialists. Greg is a co-founder of ChangeBASE, and now CEO of Application Readiness, and has considerable experience with application packaging technology and its deployment.

Copyright © 2016 IDG Communications, Inc.