Microsoft Patch Tuesday Summary for April 2016

Published: 2016-04-12
Last Updated: 2016-04-13 01:27:54 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Among today's Patches, here is my personal "patch ranking" by order of urgency:

  1. MS16-050: This is essentially Friday's out of band Adobe Flash patch. Adobe stated that it is already used to spread ransom ware. So don't wait on this one.
  2. MS16-039: Exploits are available for two of the vulnerabilities, and it is "no user interaction arbitrary code execution". This is the second one you should patch fast.
  3. MS16-037/38: This time, the Internet Explorer patch only fixes 6 vulnerabilities. But still, due to the large attack surface, browser vulnerabilities always need to be taken seriously.
  4. MS16-042: Code execution without user interaction in MSFT office will always find someone to write an exploit.
  5. MS16-040:  Another large attack surface (XML Core Services) vulnerability. Exploitability is only rated as "2" however.
  6. MS16-041: This one is a bit tricky to pin down, but I rate it right after the XML Core Services due to the large attack surface (and a bit lower as it requires user interaction)
  7. MS16-044: Wasn't sure if I should rate this above '41' or not. I rated it lower in the end as it does require user interaction.
  8. MS16-045: Only affects HyperV and the attacker needs to already have some access

No strong preferences on the rest. Did anybody else notice that MS14-043 is missing? 

Full patch summary: https://isc.sans.edu/mspatchdays.html?viewday=2016-04-12

If you don't like the layout, here is the API to make your own: https://isc.sans.edu/api/getmspatchday/2016-04-12

(or if you prefer json https://isc.sans.edu/api/getmspatchday/2016-04-12?json )

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)
Diary Archives