Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: March 2016 Microsoft Patch Tuesday - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
March 2016 Microsoft Patch Tuesday

https://isc.sans.edu/mspatchdays.html?viewday=2016-03-08

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Alex Stanford

136 Posts
Typo in the summary table? MS16-029 summary lists CVE2016-0021 three times, with two different severities.
Jaybone

27 Posts
Quoting Jaybone:Typo in the summary table? MS16-029 summary lists CVE2016-0021 three times, with two different severities.

Thank you for pointing that out. We'll have it corrected shortly.
Alex Stanford

136 Posts
Hi Alex,
I had always used the previous format which Dr. J did whereas everything was listed in one table rather than 26 different table blocks. That makes it quite difficult to copy it in Excel and then put comments against each one of them. Could we get it into the previous format?
Thanks
Jo
joberoi

2 Posts
Does MS16-033 (CVE-2016-0133) require logon rights AND physical access to the USB port, or just physical access? Going from "elevation of privilege", I assume the former?
akl168

1 Posts
I like the new layout.
MD

11 Posts
I have question regarding MS16-024 Update for Microsfot Edge, what's the reason of the rating for servers being high? Is there any possibility that Edge may also affect servers? Because as far as I know, Edge doesn't exist on servers yet. Thanks
MD
2 Posts
Hi - I agree with Jo that the old format table was much better - just a couple of pages full. Easier to read and take in.
Another item is the 'Replaces' field. Before, it showed the MS bulletin number, eg "Cumulative Security Update for Internet Explorer (Replaces MS16-001)". Now it only shows the KB number. Again, the older format was better. If you want to show the KB number, then why not add this rather than replace the MS bulletin?
Anonymous
Same here unfortunately, good thing I didn't get to invest time writing a parser for the previous format after all. Could we get an idea of long this one is staying for?
Needless to say that if there was a choice, I would definitely go for the previous one.
Aris

1 Posts
I appreciate the work to try new ways of presenting the information - in this case, I have to say I miss the old layout - it just seemed easier to view and quickly assess all the pertinent information.
izgoi

2 Posts
I also like the new format. I find it easier to read. Wish you would add whether it applies to servers or clients, like you used to do.
PW

63 Posts
I agree. The old format was much better. Please consider going back to it.
LeadSlinger

1 Posts
Quoting joberoi:Hi Alex,
I had always used the previous format which Dr. J did whereas everything was listed in one table rather than 26 different table blocks. That makes it quite difficult to copy it in Excel and then put comments against each one of them. Could we get it into the previous format?
Thanks
Jo
Quoting Aris:Same here unfortunately, good thing I didn't get to invest time writing a parser for the previous format after all. Could we get an idea of long this one is staying for?
Needless to say that if there was a choice, I would definitely go for the previous one.

This new system makes it possible to build solutions which would likely help your cases, such as an API call which is more easily parseable, multiple formats, an index of past patch Tuesdays, or even historical data. Thank you both very much for supporting the SANS Internet Storm Center!
Alex Stanford

136 Posts
Quoting Anonymous:Hi - I agree with Jo that the old format table was much better - just a couple of pages full. Easier to read and take in.
Another item is the 'Replaces' field. Before, it showed the MS bulletin number, eg "Cumulative Security Update for Internet Explorer (Replaces MS16-001)". Now it only shows the KB number. Again, the older format was better. If you want to show the KB number, then why not add this rather than replace the MS bulletin?

In fact, this new system supports either a KB or MS # in the Replaces column and we simply populate it with what we get from Microsoft, which seems to change randomly. Lately they have been providing KB #s. Thank you for supporting the SANS Internet Storm Center!
Alex Stanford

136 Posts
Quoting PW:I also like the new format. I find it easier to read. Wish you would add whether it applies to servers or clients, like you used to do.

The client and server ratings should still be there. Thank you so much for supporting the SANS Internet Storm Center!
Alex Stanford

136 Posts
Quoting Anonymous:I have question regarding MS16-024 Update for Microsfot Edge, what's the reason of the rating for servers being high? Is there any possibility that Edge may also affect servers? Because as far as I know, Edge doesn't exist on servers yet. Thanks

This is just an oversight on my part. N/A assignments for server or client ratings will return on the next patch Tuesday if we don't update this one. Thank you for pointing that out and for supporting the SANS Internet Storm Center!
Alex Stanford

136 Posts
Quoting akl168:Does MS16-033 (CVE-2016-0133) require logon rights AND physical access to the USB port, or just physical access? Going from "elevation of privilege", I assume the former?


Sorry that I can't answer your question, but I would like to tag onto the subject, is it possible this patch had a negative affect of some systems? Last night after my system did it's reboot, assuming all the security updates were applied, my USB ports will only work during system POST startup, once the OS (Win7-Pro) starts to load the USB ports are disabled.

No luck using the wireless or wired USB devices (keyboard/ mouse/ UPS interface connection, etc)

Luck would have it that I've thrown away all my ancient PS2 cabled input devices, my trips to Staples & Best Buy find only new fangled USB devices no ancient technology available at retail!! Did run into another retail customer having similar issues as of last nights patch release, Staples associate was happy to sell her another wireless keyboard/mouse kit which is useless if her problem is similar to mine.

I'm posting this via my WIN10 laptop which is working fine.

The WIN7 is up and idling, hopefully MS will recognize this issue soon and push a fix to those affected.

Any reports from the field of others affect by shut down USB ports upon windows 7 boot up?

Noel
Taxmanhog

6 Posts
Hello Alex,

May I know how I can see color full display of all new patches which released in the month of March 2016.

I like the format which was used in the month of FEB on this site.. I am not able to find similar graphical format of patches..

Here is an example.

https://isc.sans.edu/forums/diary/Microsoft+February+2016+Patch+Tuesday/20711/


I will appreciate your quick response.

Thanks,
Shevali
Taxmanhog
1 Posts
I haven't seen any USB issues here on any of the 6 PCs I have installed updates on so far... (Win7/x64)

Mice, keyboards, and smart card readers are all working.
K-Dee

63 Posts
Quoting K-Dee:I haven't seen any USB issues here on any of the 6 PCs I have installed updates on so far... (Win7/x64)

Mice, keyboards, and smart card readers are all working.


Concur.. no problems with USB (Sorry Noel)
ICI2I

63 Posts
Quoting ICI2I:
Quoting K-Dee:I haven't seen any USB issues here on any of the 6 PCs I have installed updates on so far... (Win7/x64)

Mice, keyboards, and smart card readers are all working.


Concur.. no problems with USB (Sorry Noel)


OK, folks, got to he bottom of this issue, a buddy dropped by today with an emergency care package, PS2 mouse & keyboard which allowed me to drive the system.

I spend an hour looking at the AV logs, nothing untoward found, but the WIN process & security logs showed erratic behavior when the system was trying to do the automatic update Tuesday evening, I never had a chance that night or the following morning (Wed's) to check out what was going wrong.

While the system was on NET idling, the WU ran again and appeared to have healed it's own issues and all updates were successfully applied, but some how the BIOS settings for the USB port switch's were modified preventing functionality after POST.

After being satisfied nothing in the OS was a problem, restored the BIOS settings fully enabled the USB ports, next reboot the USB HOST Controller needed to be re-installed/updated, then from there subsequent reboots verified that the wireless mouse and keyboard were functional, as well as the USB feed to my APC-UPS.

Now that we're back in business, I'll neatly fold the tin foil hat for another day.
Taxmanhog

6 Posts

Sign Up for Free or Log In to start participating in the conversation!