My next class:

Microsoft February 2016 Patch Tuesday

Published: 2016-02-09. Last Updated: 2016-02-09 18:17:13 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Overview of the February 2016 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS16-009 Cumulative Security Update for Internet Explorer (Replaces MS16-001 )

Internet Explorer
CVE-2016-0041CVE-2016-0059CVE-2016-0060
CVE-2016-0061CVE-2016-0062CVE-2016-0063
CVE-2016-0064CVE-2016-0067CVE-2016-0068
CVE-2016-0069CVE-2016-0071CVE-2016-0072
CVE-2016-0077

KB 3134220 no. Severity:Critical
Exploitability: 1,2,1,1,1,1,1,1,1,3,4,1,3
Critical Critical
MS16-010 MS16-010 was published as part of the January update. (Security Update in Microsoft Exchange Server to Address Spoofing (3124557))
MS16-011 Cumulative Security Update for Microsoft Edge (Replaces KB3124266 )
Microsoft Edge
CVE-2016-0060CVE-2016-0061CVE-2016-0062
CVE-2016-0077CVE-2016-0080CVE-2016-0084
KB 3134225 no. Severity:Critical
Exploitability: 1,1,1,3,1,1
Critical Critical
MS16-012 Remote Code Execution in PDF Library
Microsoft Windows PDF Library
CVE-2016-0058
CVE-2016-0046
KB 3138938 no. Severity:Critical
Exploitability: 2,1
Critical Critical
MS16-013 Remote Code Execution in Windows Journal (Replaces MS15-114 )
Windows Journal
CVE-2016-0038
KB 3134811 no. Severity:Critical
Exploitability: 2
Critical Critical
MS16-014 Remote Code Execution in Microsoft Windows (Replaces MS16-007 )
DLL Loading / Kerberos
CVE-2016-0040
CVE-2016-0041
CVE-2016-0042
CVE-2016-0044
CVE-2016-0049
KB 3134228 no. Severity:Important
Exploitability: 2,2,1,3,2
Critical Important
MS16-015 Remote Code Execution in Microsoft Office (Replaces MS16-004 )
Microsoft Office
CVE-2016-0022
CVE-2016-0052
CVE-2016-0053
CVE-2016-0054
CVE-2016-0055
CVE-2016-0056
KB 3134226 no. Severity:Critical
Exploitability: 1,3,1,1,1,1,1
Critical Important
MS16-016 Elevation of Privilege Vulnerability in WebDAV (Replaces MS16-004 )
WebDAV
CVE-2016-0051
KB 3136041 no. Severity:Important
Exploitability: 2
Important Important
MS16-017 Elevation of Privilege in Remote Desktop Display Driver (Replaces MS15-067 MS15-030 )
Remote Desktop
CVE-2016-0036
KB 3134700 no. Severity:Important
Exploitability: 2
Important Important
MS16-018 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS16-005 )
Kernel Mode Drivers
CVE-2016-0048
KB 3136082 no. Severity:Important
Exploitability: 1
Important Important
MS16-019 Denial of Service in .Net Framework (Replaces MS12-025 )
.Net Framework
CVE-2016-0033
CVE-2016-0047
KB 3137893 no. Severity:Important
Exploitability: 3,2
Important Important
MS16-020 Denial of Service Vulnerability in Active Directory Federation Service (Replaces MS12-040 )
Active Directory Federation Serivce
CVE-2016-0037
KB 3134222 no. Severity:Important
Exploitability: 3
Important Important
MS16-021 Denial of Service Vulnerability in NPS RADIUS Server (Replaces MS15-007 )
Network Policy Server
CVE-2016-0050
KB 3133043 no. Severity:Important
Exploitability: 3
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

7 comment(s)
My next class:

Comments

PoC for the MS16-016 (CVE-2016-0051) https://github.com/koczkatamas/CVE-2016-0051
Quick note: MS has decided to list out the Adobe Flash updates as a separate security release.

Instead of being buried under KB2755801 then getting another KB from there, it's now listed as part of patch Tuesday, this month: MS16-022
You seem to have missed MS16-022
http://technet.microsoft.com/library/security/ms16-022
(about Adobe Flash)
MS16-014 supersedes both MS16-007 and MS16-008
I have a question: if someone has a 2008 R2 server that still has IE8 and IE8 is *not* being used for browsing the Internet, is it still critical for security reasons to get that system to IE11? Is it still vulnerable? Any references would be welcome.
[quote=comment#36359]I have a question: if someone has a 2008 R2 server that still has IE8 and IE8 is *not* being used for browsing the Internet, is it still critical for security reasons to get that system to IE11? Is it still vulnerable? Any references would be welcome.[/quote]

MSHTML.DLL (and other parts of IE) are used by quite some Windows components (and 3rd party applications too): the most prominent example is Windows HTML help.
All these components and 3rd party applications can be (ab)used to exploit the unfixed vulnerabilities in MSHTML.DLL and the other parts of IE<11.
So: YES, it's critical!
MS16-016 does not replace MS16-004, must be a copy-paste error from the previous row (MS16-015).

My MS16-016 is a built-in Windows kernel driver while MS16-004 is an Office vulnerability.

Diary Archives