Microsoft's February Patch Tuesday contains 13 bulletins, six rated critical – all of which can allow remote code execution if exploited.
None of the vulnerabilities have been spotted in the wild, however, they do impact almost all of Microsoft's product areas including, Windows, Internet Explorer (IE), Edge and Office.
“The common thread amongst almost all the vulnerabilities is the system loading up untrusted files or content, which for certain formats seems to be a very regular issue,” Jon Rudolph, principal software engineer at Core Security, told SCMagazine.com Tuesday in an email.
The standout patch for this cycle, according to several industry insiders, is the critical-rated MS16-022 for Adobe Flash Player. It addresses 20 specific vulnerabilities on all supported versions of Windows Server 2012, 8.1, Server 2012 R2, RT 8.1 and 10.
“MS16-022 leads our priority list at Qualys for this month. None of the vulnerabilities described is in the use in the wild, but many are rated as easily exploitable by both Microsoft and Adobe, so you should address them quickly,” Wolfgang Kandek, Qualys CTO wrote in his blog.
Tyler Reguly, a Tripwire researcher, noted that for the first time Adobe Flash Player embedded within IE and Edge received its own, stand-alone bulletin.
“Previously, Microsoft updated the same KB on a month by month basis with no defining elements. This is a welcome change and hopefully it bodes well for other areas where Microsoft continues to do this,” Reguly told SCMagazine in a Tuesday email.
Bulletin MS16-015 was also highlighted by Kandek and other industry executives as being of particular interest. This issue focuses on Microsoft Office that could affect a user who opens a specially crafted word file possibly allowing the attacker to run arbitrary code.
“There is a Sharepoint update included in the Office bulletin, MS16-015. This is a critical bulletin and has a publicly disclosed vulnerability, CVE-2016-0039. One of the complicating factors with Sharepoint is the fact that rollback is not an easy thing if something breaks. If you have not already done so, we highly recommend virtualizing your Sharepoint servers so you can take advantage of snapshot capabilities to roll back to a good state, in case something goes wrong,” said Chris Goettl, product manager with Shavlik.
The other critical patches are MS16-009, MS16-011, MS16-012 and MS16-013. The remaining seven bulletins are rated as important by Microsoft.
Lane Thames, a Tripwire researcher, said consumers and enterprise users that are still using the now unsupported IE 7 and 8 need to upgrade their systems as soon as possible. Thames believes reverse engineers and exploit kit developers will be looking at bulletin MS16-009 to target the now vulnerable browsers.
“Enterprise organizations who require these browsers due to legacy applications must ensure that these systems do not have access to external or untrusted websites,” Thames told SCMagazine.com Tuesday in an email correspondence.
