Microsoft's first Patch Tuesday of 2016 contains nine bulletins, six rated critical, affecting several Microsoft products, including Windows, Internet Explorer, Edge and Silverlight.
However, the big news this month is not just the Patch Tuesday updates, but that it's the first security bulletin issued since Microsoft stopped supporting older versions of Internet Explorer. The move is part of Microsoft's larger plan to remove support for older software systems, it ended support for most Windows XP systems last year, in order to boosts its products security and reliability and encourage customers to upgrade.
“This will make IE maintenance easier for Microsoft, but will create more migration work for IT managers that have to update their browser installations to the latest level. Mid-term this will create a better and more robust platform, but in the short term we are looking at some additional security exposures as legacy browsers will lose their updates,” said Qualys CTO Wolfgang Kandek in an email to SCMagazine.com Tuesday.
All of the critical updates, MS16-001 to MS16005, if exploited, could result in remote code execution by an attacker.
“We're seeing the usual collection of browser related cumulative security updates (both Explorer and Edge), as well as the regular patches to address kernel mode driver and MS Office document related security holes. Also getting attention this month is a critical update to the VBScript engine, preventing attacks from gaining control of a host by getting the scripting engine to process malicious scripts, Jon Rudolph, principal software engineer at Core Security.
Interestingly one of the less critical fixes, MS16-010, has garnered quite a bit of interest from industry watchers. This addresses vulnerabilities with Microsoft Exchange Server that could allow spoofing if Outlook Web Access fails to properly handle a web request and sanitize the user's input and email content, the security bulletin noted.
“This patch closes three vulnerabilities that could lead to significant and direct financial losses through so called business e-mail compromise (BEC). This type of attack tends to rely on the ability of an attacker to convince a victim that emails came from someone else within the firm in a position of authority. The ability to make phishing emails legitimately appear to come from an internal address is a tremendous advantage for attackers,” said Tyler Reguly, security researcher and manager of Tripwire's Vulnerability and Exposure Research Team.