Microsoft Patch Tuesday Summary for April 2016

Published: 2016-04-12
Last Updated: 2016-04-13 01:27:54 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Among today's Patches, here is my personal "patch ranking" by order of urgency:

  1. MS16-050: This is essentially Friday's out of band Adobe Flash patch. Adobe stated that it is already used to spread ransom ware. So don't wait on this one.
  2. MS16-039: Exploits are available for two of the vulnerabilities, and it is "no user interaction arbitrary code execution". This is the second one you should patch fast.
  3. MS16-037/38: This time, the Internet Explorer patch only fixes 6 vulnerabilities. But still, due to the large attack surface, browser vulnerabilities always need to be taken seriously.
  4. MS16-042: Code execution without user interaction in MSFT office will always find someone to write an exploit.
  5. MS16-040:  Another large attack surface (XML Core Services) vulnerability. Exploitability is only rated as "2" however.
  6. MS16-041: This one is a bit tricky to pin down, but I rate it right after the XML Core Services due to the large attack surface (and a bit lower as it requires user interaction)
  7. MS16-044: Wasn't sure if I should rate this above '41' or not. I rated it lower in the end as it does require user interaction.
  8. MS16-045: Only affects HyperV and the attacker needs to already have some access

No strong preferences on the rest. Did anybody else notice that MS14-043 is missing? 

Full patch summary:

If you don't like the layout, here is the API to make your own:

(or if you prefer json )

Johannes B. Ullrich, Ph.D.

5 comment(s)


PLEASE go back to the old version of the patch Tuesday report. That was very much easier to read, and incorporate into my own reports. And why change the 'Replaces MS99-001' field with the KB number? If you want to show this, why not add it rather than replace?
MS16-047 patches Badlock, so I'd bump that to #2 or 3 on the significance list.

'The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."'
[quote]Did anybody else notice that MS14-043 is missing?[/quote]
Really? MS14-043 was published two years ago.-P

Did anybody notice that MS16-045 was originally scheduled for the March 2016 patchday but didn't make it then?

Why is M16-049 rated as N/A on client side and Important on Server, if the only affected OS is Windows 10?

Shouldn't it be the opposite? Important on client and N/A on Server?
KB3148812 update, a non-security update released last week, cause problems:

"Until further notice, if you have not already installed this update, do not install KB3148812"

Diary Archives