See the full blog post here: http://blog.shavlik.com/april-patch-tuesday-2016/
April’s Patch Tuesday is looking and sounding like a spring weather forecast. The forecast is calling for rain, but it turned out to be partly cloudy. There has been some mixed feelings about a newly announced vulnerability, or vulnerabilities as it were, in Samba.
Badlock is a vulnerability recently identified in Windows and Samba. There are eight CVEs related to Badlock, categorized as man-in-the-middle and denial-of-service attacks. The primary CVE is CVE-2016-2118. This is a multi-vendor problem, so two CVEs were opened to track for each vendor.
6. News – Badlock
Badlock.org – Described a serious flaw in Samba that would also affect
windows. The CVEs were released yesterday and were a bit
disappointing given the hype put out by SerNet.
The primary vulnerability (CVE-2016-2118) has a base CVSS of 7.1,
which is high, but the vulnerability does not fit the profile of a
vulnerability likely to be exploited.
CVE-2016-0128 is the only CVE relating to Windows (MS16-047). Some
of the other CVEs talk about Windows, but in the context of older
windows OSs and were issues resolved by config changes long ago.
7. News – LANDESK to acquire AppSense
Complimentary features. On the Security side, Application Whitelisting
and Privilege management compliment the Shavlik solutions to
complete the top preventative measures to protect your environment.
Australian Signals Directorate – Top 4 Mitigation Strategies, Application
Whitelisting, Patch Applications, Patch Operating System, Minimize
Administrative Privleges
SANSCIS Critical Security Controls – Quick 5
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
8. Known Issues
MS16-039 – Bulletin states it is required on Server Core. Our test confirmed
a failure to install, WSUS test confirmed update was not even offered for
Core. For Office 2010 the bulletin states it only applies to pre-vista systems
with Office 2010 installed.
MS16-038, MS16-046, MS16-049 – These three bulletins only apply to
Windows 10. Shavlik Protect users, you will see this as CSWU-023 in
product.
MS16-043 – Bulletin did not release.
9. CSWU-023: Cumulative update for Windows 10: April 12, 2016
Maximum Severity: Critical
Affected Products: Windows 10, Edge, Internet Explorer
Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are
described in the following Microsoft security bulletins and advisory: MS16-037, MS16-038, MS16-039, MS16-040, MS16-045, MS16-046,
MS16-047, MS16-048, MS16-049, and MS16-050.
Impact: Remote Code Execution, Elevation of Privilege, Security Feature Bypass
Fixes 23 vulnerabilities:
CVE-2016-0154, CVE-2016-0159, CVE-2016-0160 (Disclosed), CVE-2016-0162, CVE-2016-0164, CVE-2016-0166, CVE-2016-
0155, CVE-2016-0156, CVE-2016-0157, CVE-2016-0158, CVE-2016-0161, CVE-2016-0143, CVE-2016-0145, CVE-2016-0165,
CVE-2016-0167, CVE-2016-0147, CVE-2016-0088, CVE-2016-0089, CVE-2016-0090, CVE-2016-0135, CVE-2016-0128, CVE-2016-
0151, CVE-2016-0150
Restart Required: Requires Restart
10. MS16-037: Cumulative Security Update for Internet Explorer (3148531)
Maximum Severity: Critical
Affected Products: Internet Explorer
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow
remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the
vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker
could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with
full user rights.
Impact: Remote Code Execution
Fixes 6 vulnerabilities:
CVE-2016-0154, CVE-2016-0159, CVE-2016-0160 (Disclosed), CVE-2016-0162, CVE-2016-0164, CVE-2016-0166
Restart Required: Requires Restart
11. MS16-038: Cumulative Security Update for Microsoft Edge (3148532)
Maximum Severity: Critical
Affected Products: Edge
Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote
code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities
could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system
could be less impacted than users with administrative user rights.
Impact: Remote Code Execution
Fixes 6 vulnerabilities:
CVE-2016-0154, CVE-2016-0155, CVE-2016-0156, CVE-2016-0157, CVE-2016-0158, CVE-2016-0161
Restart Required: Requires Restart
12. MS16-039: Security Update for Microsoft Graphics Component (3148522)
Maximum Severity: Critical
Affected Products: Windows, .Net, Office, Skype, Lync
Description: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype
for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially
crafted document or visits a webpage that contains specially crafted embedded fonts.
Impact: Remote Code Execution
Fixes 4 vulnerabilities:
CVE-2016-0143, CVE-2016-0145, CVE-2016-165 (Exploited), CVE-2016-0167 (Exploited)
Restart Required: Requires Restart
13. MS16-040: Security Update for Microsoft XML Core Services (3148541)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system.
However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a
user to click the link, typically by way of an enticement in an email or Instant Messenger message.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0147
Restart Required: May Require Restart
14. MS16-041: Security Update for .NET Framework (3148789)
Maximum Severity: Important
Affected Products: Windows, .Net
Description: This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code
execution if an attacker with access to the local system executes a malicious application.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0148 (Disclosed)
Restart Required: May Require Restart
15. MS16-042: Security Update for Microsoft Office (3148775)
Maximum Severity: Critical
Affected Products: Office, Sharepoint
Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow
remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities
could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 4 vulnerabilities:
CVE-2016-0122, CVE-2016-0127, CVE-2016-0136, CVE-2016-0139
Restart Required: May Require Restart
16. MS16-046: Security Update for Secondary Logon (3148538)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited this
vulnerability could run arbitrary code as an administrator.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0135 (Disclosed)
Restart Required: Requires Restart
17. MS16-047: Security Update for SAM and LSAD Remote
Protocols (3148527)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if
an attacker launches a man-in-the-middle (MiTM) attack. An attacker could then force a downgrade of the authentication level of the SAM
and LSAD channels and impersonate an authenticated user.
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-0128 (Disclosed)
Restart Required: Requires Restart
18. MS16-050: Security Update for Adobe Flash Player (3154132)
Maximum Severity: Critical
Affected Products: Windows, Adobe Flash Player
Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows
8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Impact: Remote Code Execution
Fixes 24 vulnerabilities:
CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-
1017, CVE-2016-1018, CVE-2016-1019 (Exploited), CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-
2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-
1031, CVE-2016-1032, CVE-2016-1033
Restart Required: Requires Restart
19. APSB16-10: Security updates available for Adobe Flash Player
Maximum Severity: Critical
Affected Products: Adobe Flash Player, Adobe AIR
• Description: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These
updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
• Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player
version 20.0.0.306 and earlier. Please refer to APSA16-01 for details
.
Impact: Remote Code Execution
Fixes 24 vulnerabilities:
CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-
1017, CVE-2016-1018, CVE-2016-1019 (Exploited), CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-
2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-
1031, CVE-2016-1032, CVE-2016-1033
Restart Required: Requires Restart
20. JAVA8u79: Oracle Quarterly CPU coming next week, April 19th
Maximum Severity: Critical
Affected Products: Java Runtime
• Description:
Impact:
Fixes x vulnerabilities:
,
Restart Required: Restart Required
21. MS16-044: Security Update for Windows OLE (3146706)
Maximum Severity: Important
Affected Products: Microsoft Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution
if Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code. However, an
attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-0153
Restart Required: Requires Restart
22. MS16-045: Security Update for Windows Hyper-V (3143118)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow
remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V
host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
Impact: Remote Code Execution
Fixes 3 vulnerabilities:
CVE-2016-0088, CVE-2016-0089, CVE-2016-0090
Restart Required: Requires Restart
23. MS16-048: Security Update for CSRSS (3148528)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass
if an attacker logs on to a target system and runs a specially crafted application.
Impact: Security Feature Bypass
Fixes 1 vulnerabilities:
CVE-2016-0151
Restart Required: Requires Restart
24. MS16-049: Security Update for HTTP.sys (3148795)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an
attacker sends a specially crafted HTTP packet to a target system.
Impact: Denial of Service
Fixes 1 vulnerabilities:
CVE-2016-0150
Restart Required: Requires Restart
25.
26. • Why should you attend?
• Great Value:
• Two days of hands on and deep dive
product sessions for less than one day of
consulting services
• Interaction with Shavlik Product
Managers and Systems Engineers
• Earlybird rate of $795
• And, of course, because its Vegas baby!
• For details see:
• http://www.shavlik.com/tech-summit/
27. Resources and Webinars
Get Shavlik Content Updates
Get Social with Shavlik
Sign up for next months
Patch Tuesday Webinar
Watch previous webinars
and download presentation.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Ensure that your Internet Explorer version is at the latest for the OS you are installed on. Microsoft is only updating the latest version for each supported OS since January 2016. For details please see: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer
User targeted vulnerabilities – Least Privilege Mitigates Impact (4 of 6)
Multiple Internet Explorer Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-generated content or advertisements, by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
User targeted vulnerabilities – Least Privilege Mitigates Impact (5 of 6)
Multiple Microsoft Edge Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist when Microsoft Edge improperly accesses objects in memory. The vulnerabilities could corrupt memory that enables an attacker to execute arbitrary code in the context of the current user.
An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerabilities by modifying how Microsoft Edge handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
User targeted vulnerabilities
Multiple Win32k Elevation of Privilege Vulnerabilities
Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
Graphics Memory Corruption Vulnerability – CVE-2016-0145
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded fonts. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
User targeted vulnerabilities
MSXML 3.0 Remote Code Execution Vulnerability - CVE-2016-0147
A remote code execution vulnerability exists when the Microsoft XML Core Services (MSXML) parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user’s system.
To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website. When Internet Explorer parses the XML content, an attacker could run malicious code remotely to take control of the user’s system. The update addresses the vulnerability by correcting how the MSXML parser processes user input.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Least Privilege Mitigates Impact
.NET Framework Remote Code Execution Vulnerability - CVE-2016-0148
A remote code execution vulnerability exists when Microsoft .NET Framework fails to properly validate input before loading libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker would first need to access the local system with the ability to execute a malicious application. The security update addresses the vulnerability by correcting how .NET validates input on library load.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Least Privilege Mitigates Impact (4 of 4)
Multiple Microsoft Office Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0127. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file. The security update addresses the vulnerabilities by correcting how Office handles objects in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
Secondary Logon Elevation of Privilege Vulnerability - CVE-2016-0135
An elevation of privilege vulnerability exists in Microsoft Windows when the Windows Secondary Logon Service fails to properly manage requests in memory. An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker must first log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how the Windows Secondary Logon Service handles requests in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
https://isc.sans.edu/diary/BadLock+Vulnerability+%28CVE-2016-2118%29/20933
What to tell your Boss/Spouse/Parent
Due to the hype associated with this vulnerability, you will likely get a lot of questions about it. Overall, nothing fundamentally changed:
Patch as you get to it, but no reason to rush this one
Do not use SMB over networks you don't trust
Firewall SMB inbound and outbound
If you need to connect to remote file shares, do so over a VPN.
Windows SAM and LSAD Downgrade Vulnerability- CVE-2016-0128
An elevation of privilege vulnerability exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols when they accept authentication levels that do not protect them adequately. The vulnerability is caused by the way the SAM and LSAD remote protocols establish the Remote Procedure Call (RPC) channel. An attacker who successfully exploited this vulnerability could gain access to the SAM database.
To exploit the vulnerability, an attacker could launch a man-in-the-middle (MiTM) attack, force a downgrade of the authentication level of the SAM and LSAD channels, and then impersonate an authenticated user. The security update addresses the vulnerability by modifying how the SAM and LSAD remote protocols handle authentication levels.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome.
https://helpx.adobe.com/security/products/flash-player/apsb16-10.html
https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
To fully patch Flash Player you need to update the Player and plug-ins in all browsers. This could mean 4 updates for Flash, Flash for IE, Flash for Firefox, and Chrome.
https://helpx.adobe.com/security/products/flash-player/apsb16-10.html
https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
Added AIR on April 12: http://blogs.adobe.com/psirt/?p=1334
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
User targeted vulnerabilities
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
User Targeted Vulnerability
Windows OLE Remote Code Execution Vulnerability - CVE-2016-0153
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input. An attacker could exploit the vulnerability to execute malicious code.
To exploit the vulnerability, an attacker would have to convince a user to open either a specially crafted file or a program from either a webpage or an email message. The update addresses the vulnerability by correcting how Windows OLE validates user input.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Hyper-V Remote Code Execution Vulnerability – CVE-2016-0088
A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system. The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input.
Multiple Hyper-V Information Disclosure Vulnerabilities
Information disclosure vulnerabilities exist when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerabilities, an attacker on a guest operating system could run a specially crafted application that could cause the Hyper-V host operating system to disclose memory information. Customers who have not enabled the Hyper-V role are not affected.
An attacker who successfully exploited the vulnerabilities could gain access to information on the Hyper-V host operating system. The security update addresses the vulnerabilities by correcting how Hyper-V validates guest operating system user input.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
Windows CSRSS Security Feature Bypass Vulnerability - CVE-2016-0151
A security feature bypass vulnerability exists in Microsoft Windows when the Client-Server Run-time Subsystem (CSRSS) fails to properly manage process tokens in memory.
An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows manages process tokens in memory.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing.
HTTP.sys Denial of Service Vulnerability - CVE-2016-0150
A denial of service vulnerability exists in the HTTP 2.0 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP 2.0 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive.
To exploit this vulnerability, an attacker could send a specially crafted HTTP packet to a target system, causing the affected system to become nonresponsive. The update addresses the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP 2.0 requests. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights.
Use registration code “Int2016Shavlik”
Sign up for Content Announcements:
Email http://www.shavlik.com/support/xmlsubscribe/
RSS http://protect7.shavlik.com/feed/
Twitter @ShavlikXML
Follow us on:
Shavlik on LinkedIn
Twitter @ShavlikProtect
Shavlik blog -> www.shavlik.com/blog
Chris Goettl on LinkedIn
Twitter @ChrisGoettl
Sign up for webinars or download presentations and watch playbacks:
http://www.shavlik.com/webinars/