Talos, Cisco’s security research division posted their thoughts on the latest Microsoft Patch Tuesday release along with associated SNORT rules to protect systems from exploiting associated vulnerabilities. The original post can be found HERE.
Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.
Bulletins Rated Critical
Microsoft bulletins MS16-023, MS16-024, and MS16-026 through MS16-028 are rated as critical in this month’s release.
MS16-023 and MS16-024 are this month’s Internet Explorer and Edge security bulletin respectively. In total, 24 vulnerabilities between the two bulletins were addressed with five vulnerabilities in common (meaning that both Edge and IE are affected by the same five vulnerabilities). The IE security bulletin addresses 13 memory corruption vulnerabilities while the Edge bulletin addresses 10 memory corruption flaws and one information disclosure bug that manifests as a result of Edge improperly handling referrer policy, potentially leaking the user’s request content or browsing history.
MS16-026 addresses two privately reported vulnerabilities in the Windows Adobe Type Manager Library. The most severe vulnerability of the two, CVE-2016-0121, is a remote code execution vulnerability while the other vulnerability, CVE-2016-0120, is considered moderate due to it being a denial of service flaw. Both vulnerabilities manifest as a failure to correctly parse OpenType fonts. Exploitation of these two vulnerabilities is achievable if a user opens a specifically crafted document, or if they navigate to a webpage containing specifically crafted embedded OpenType fonts. Note that workarounds to help reduce the risk of an attacker exploiting these vulnerabilities are available. For more information, please refer to the security bulletin.
MS16-027 addresses two critical vulnerabilities in Windows Media Player. Both CVE-2016-0101 and CVE-2016-0098 are remote code execution vulnerabilities that manifest as a result of improperly parsing media content. Exploitation of these vulnerabilities is achievable if, for example, an attacker embeds specifically crafted media content on a website that a user navigates to.
MS16-028 addresses two vulnerabilities in the Windows PDF Library that could lead to arbitrary code execution. CVE-2016-0117 and CVE-2016-0118 both manifest as a flaw in how the library parses a PDF file. Exploitation of these two vulnerabilities is achievable if a user were to open a specifically crafted PDF file. Note that any arbitrary code execution as a result of exploiting one of these two vulnerabilities would be limited to the context of the current user.
Bulletins Rated Important
Microsoft bulletins MS16-025, and MS16-029 through MS16-035 are rated as important in this month’s release.
MS16-025 addresses CVE-2016-0100, which is a arbitrary code execution vulnerability resulting from an input validation flaw during library loading. This vulnerability manifests when Windows fails to properly validate and sanitize input before loading certain libraries. An authenticated attacker who executes a maliciously crafted application that exploits this vulnerability would then be able to execute arbitrary code in the context of the current user. Note that this vulnerability only impacts Windows Vista Service Pack 2 and Windows 2008 Service Pack 2 (not Server 2008 R2).
MS16-029 is this month’s Office security bulletin which addresses three privately reported vulnerabilities. Two the vulnerabilities (CVE-2016-0021 and CVE-2016-0134) are memory corruption vulnerabilities that manifest as a result of improperly parsing an Office document file and could lead to arbitrary code execution. The third vulnerability, CVE-2016-0057, is a security feature bypass that manifests due to an Office binary being improperly signed. Exploitation of CVE-2016-0057 is achievable if an attacker has write privileges to where the invalidly signed binary resides and overwrites the invalidly signed binary with one that contains malicious code.
MS16-030 addresses two privately reported vulnerabilities in Windows Object Linking and Embedded (OLE). CVE-2016-0091/0092 are both arbitrary code execution vulnerabilities that manifest as a result of Windows OLE failing to properly validate and sanitize input. Exploitation of these two vulnerabilities is achievable if a user executes a maliciously crafted application, leading to addition arbitrary code executing in the context of the current user.
MS16-031 addresses CVE-2016-0087, a privately reported privilege escalation flaw within Windows. CVE-2016-0087 manifests as a result of Windows failing to properly validate and enforce user impersonation levels. Exploitation of this vulnerability is achievable if an authenticated attacker executes a specifically written application that exploits this flaw. Note that only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
MS16-032 addresses CVE-2016-0099, a privately reported privilege escalation vulnerability in the Windows Secondary Logon Service. CVE-2016-0099 manifests as a failure by the Windows Secondary Logon Service to handle requests in memory. As a result, an authenticated attacker who executes a specifically crafted executable that is designed to exploit this flaw could obtain administrative privileges on the targeted system.
MS16-033 addresses CVE-2016-0133, a privately reported privilege escalation vulnerability in the Windows USB Mass Storage Class driver. CVE-2016-0133 manifests as a result of the USB Mass Storage Class driver failing to validate and handle objects in memory. In order for this vulnerability to be exploited, an attacker would need to have physical access to the system. An attacker could then insert a maliciously crafted USB device that exploits this vulnerability and execute arbitrary code in kernel mode.
MS16-034 addresses four privately reported privilege escalation vulnerabilities within Win32k. CVE-2016-0093 through CVE-2016-0096 all manifest as a result of the Kernel Mode Driver failing to properly handle objects in memory. Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in kernel mode. Note that for exploitation to be successful, an attacker would need to be authenticated and execute a specifically written application that exploits one of these flaws.
MS16-035 addresses CVE-2016-0132, a privately reported security feature bypass vulnerability in the .NET Framework. CVE-2016-0132 manifests as a failure to properly validate certain elements within a signed XML document. As a result, an attacker who exploits this vulnerability would be able to modify the contents of an XML file without invalidating the file’s signature.
Coverage
In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
Snort Rules: 38061-38086, 38088-38101, 38106-38115, 38117-38120, 38122-38123