Patch/Configuration Management, Vulnerability Management

Patch Tuesday: Microsoft rolls out 16 bulletins, eight rated critical

Microsoft's May Patch Tuesday roll out which contains 16 bulletins covering 37 vulnerabilities, with half of them being rated critical and possibly leading to remote code execution, is a slightly larger batch compared to the 13 issued in April.

The critical rated bulletins are MS16-051, MS16-052, MS16-053, MS16-054, MS16-055, MS16-056, MS16-057 and MS16-064 with several industry watchers tagging MS16-051 for Internet Explorer as one of the more important issues because, as Microsoft has already noted, it is under attack in the wild.

“On the top of our list is the update for Internet Explorer (MS16-051) that addresses a critical RCE-type vulnerability CVE-2016-0189 that is currently under attack. The vulnerability is in the JavaScript engine and in Vista and WIndows 2008 the engine is packaged separately from the browser, so if you run these variants of Windows (only 2% still run on Vista) you need to install MS16-053,” Wolfgang Kandek, Qualys CTO told SCMagazine in an email Tuesday.

David Picotte, Rapid7's engineering manager said in an email to SCMagazine.com that if for whatever reason administrators can't patch their systems right away, Microsoft has provided a workaround in MS16-051 that disables the VBScript.dll and JScript.dll functionality. A method Picotte described as “a crude but effective means of reducing your risk.”

The remaining critical bulletins are for Microsoft Edge, JScript and VBScript, Office, Graphics Component, Windows Journal and Windows Shell.

Bulletin MS16-064 contains a link for users to see Adobe's advisory APSB16-14 for updates to several products, including Flash Player.

Chris Goettl, a product manager with Shavlik, said, in comments emailed to SCMagazine.com, “Adobe Flash Player only released an advisory today, but it included high-level details of a vulnerability that has been detected in exploits in the wild. If information gleaned from MS16-064 is accurate, this Zero Day will be accompanied by 23 additional CVEs, with the release expected on May 12th. With this in mind, the recommendation is to roll this update out immediately.”

Although not rated critical MS2016-061 also caused some raised eyebrows. This Windows vulnerability could allow elevation of privilege if an unauthenticated attacker makes malformed Remote Procedure Call requests to an affected host.

“Although Microsoft rates CVE-2016-0178 as less likely to be exploited, the potential for abuse on this one is enormous," Tripwire security researcher Craig Young said in comments emailed to SCMagazine.com. "The underlying flaw affects all supported servers and desktops from Windows Vista to Windows 10 and can allow an unauthenticated attacker to gain control of unpatched systems.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.