Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-04-12 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Patch Tuesday Summary for April 2016

Published: 2016-04-12
Last Updated: 2016-04-13 01:27:54 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Among today's Patches, here is my personal "patch ranking" by order of urgency:

  1. MS16-050: This is essentially Friday's out of band Adobe Flash patch. Adobe stated that it is already used to spread ransom ware. So don't wait on this one.
  2. MS16-039: Exploits are available for two of the vulnerabilities, and it is "no user interaction arbitrary code execution". This is the second one you should patch fast.
  3. MS16-037/38: This time, the Internet Explorer patch only fixes 6 vulnerabilities. But still, due to the large attack surface, browser vulnerabilities always need to be taken seriously.
  4. MS16-042: Code execution without user interaction in MSFT office will always find someone to write an exploit.
  5. MS16-040:  Another large attack surface (XML Core Services) vulnerability. Exploitability is only rated as "2" however.
  6. MS16-041: This one is a bit tricky to pin down, but I rate it right after the XML Core Services due to the large attack surface (and a bit lower as it requires user interaction)
  7. MS16-044: Wasn't sure if I should rate this above '41' or not. I rated it lower in the end as it does require user interaction.
  8. MS16-045: Only affects HyperV and the attacker needs to already have some access

No strong preferences on the rest. Did anybody else notice that MS14-043 is missing? 

Full patch summary: https://isc.sans.edu/mspatchdays.html?viewday=2016-04-12

If you don't like the layout, here is the API to make your own: https://isc.sans.edu/api/getmspatchday/2016-04-12

(or if you prefer json https://isc.sans.edu/api/getmspatchday/2016-04-12?json )

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)

BadLock Vulnerability (CVE-2016-2118)

Published: 2016-04-12
Last Updated: 2016-04-12 17:20:11 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Today, Microsoft and the SAMBA team jointly released a fix for CVE-2016-2118 , a vulnerability also known as BadLock".  While a man in the middle and DoS vulnerability may not quite be the type of vulnerability everybody was waiting for, it should still be taken seriously and patched.

You are of course the most at risk if you are allowing SMB traffic over un-trusted networks, which has always been a bad idea. Exploitation of a man-in-the-middle vulnerability does require that the attacker is able to intercept traffic. The use of a VPN would prevent exploitation.

What to tell your Boss/Spouse/Parent

Due to the hype associated with this vulnerability, you will likely get a lot of questions about it. Overall, nothing fundamentally changed:

  • Patch as you get to it, but no reason to rush this one
  • Do not use SMB over networks you don't trust
  • Firewall SMB inbound and outbound
  • If you need to connect to remote file shares, do so over a VPN.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
ISC Stormcast For Tuesday, April 12th 2016 http://isc.sans.edu/podcastdetail.html?id=4949
Diary Archives