Patch/Configuration Management, Vulnerability Management

Patch Tuesday: Microsoft addresses Badlock Bug, issues 13 bulletins

Microsoft's April Patch Tuesday update contained 13 entries with six rated critical and the remaining seven, which includes a fix for the BadLock Bug, as important.

The bulletins, which address 31 specific vulnerabilities, all deal with problems that could result in remote code execution, elevation of privilege, denial of service or a security feature bypass if left unpatched.

The critical-rated bulletins are MS16-037, MS16-038, MS16-039, MS16-040, MS16-042 and MS16-050 with each potentially allowing remote code execution.

While the BadLock Bug grabbed many of the headlines on this Patch Tuesday, most industry insiders did not see it as Microsoft's most pressing problem.

“Although the bug on everyone's mind going into patch Tuesday has been BadLock, this should probably not be at the top of any patch priority index by a long shot. The top priority for Windows administrators should be to protect against vulnerabilities that can be exploited through web sites or documents.  This means that IE/Edge, office, and graphics components should demand top attention especially since they all address flaws rated as more likely to be exploited, said Tripwire researcher Craig Young to SCMagazine.com in a Tuesday email.

Qualys CTO Wolfgang Kandek noted that this batch of patches fixes two zero-day threats, included in bulletin MS16-039.

“The two 0-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator. In real life they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw from APSB16-10 that Microsoft addresses in MS16-050,” Kandek said to SCMagazine.com in an email.

MS16-042 also drew Kandek's attention. This bulletins address four issues in Office and, in addition to applying the patches, he suggested administrators ban RTF emails from Outlook.

Lane Thomas, of Tripwire's Vulnerability and Exposure Research Team, called out bulletin MS16-049, rated important, as one system administrators should closely examine.

“What makes this bulletin interesting is that it addresses a vulnerability found within the HTTP 2.0 protocol stack. HTTP 2.0 is a very new protocol and I have personally been waiting to see new vulnerabilities in its implementation,” Thomas said in an email to SCMagazine.com.

The final patch that garnered industry attention was MS16-050 which addressed vulnerabilitiesin Flash Player. Adobe also issued a patch.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.