Karlston Posted April 13, 2016 Share Posted April 13, 2016 So far this month, 13 Windows security bulletins, 29 identified vulnerabilities, and Win10 take the lion's share of patches Patch Tuesday has arrived and we've been treated to an odd array of fixes. The SANS Internet Storm Center lists 13 security bulletins, only one of which, MS 16-039/KB 3148522, has a known exploit. In addition, we discovered the big secret behind the Badlock patch -- you may yawn now -- and found that a surprisingly large percentage of the security problems appear in Windows 10. First, the actively exploited security hole: You probably won't believe this (at least, I didn't), but the bug is related to the way fonts are handled inside the Windows kernel ... again. We saw similar problems in Aug 2014's KB 2982791 (that patch was pulled and re-released), February 2015's KB 3013455 (that patch was pulled and re-released), and July 2015's KB 3077657 (that patch was ... you get the idea). No doubt there were other high-priority font-in-the-kernel security patches in the past few years that crashed and burned. Nudge my memory in the comments or on AskWoody.com. The vulnerability affects all covered versions of Windows, plus .Net, Skype for Business 2016, Lync 2013, and Lync 2010. Microsoft lists 17 additional KB articles that describe the problem for each affected system. My recommendation: Wait and see if KB 3148522 fares as poorly as its predecessors. It's one more reason to avoid Skype, as if you needed another. Big bad Sad ... er, Badlock, MS 16-047/KB 3148527 arrived with a whimper. The hype was unprecedented, including a fancy "celebrity" name and dedicated website. Many people honestly believed that the Internet would come to a screeching halt shortly after details of the bug were released. You're here now, so I guess that didn't happen. Ends up it's a man-in-the-middle attack that applies to a very narrowly defined set of criteria, where the attacker is in the middle at the right time. Kim Zetter at Wired has details. Here's the part that concerns me the most: Windows 10 took a belly hit. While Win7 came in for three critical patches and one important patch, and Windows 8.1 was involved in three critical and three important patches, Win10 brought home the prize with four critical and four important patches. Microsoft has released its latest changelog for Windows 10 (yessss!), and it describes "quality improvements and security fixes. No new operating system features are being introduced in this update." The list includes many innocuous fixes, but the meat comes in the summary of KB 3147458. That summary says the cumulative update "resolves the following vulnerabilities in Windows: 3148531 MS16-037: Cumulative Security Update for Internet Explorer 3148532 MS16-038: Cumulative Security Update for Microsoft Edge: May 10, 2016 3148522 MS16-039: Security Update for Microsoft Graphics Component to Address Remote Code Execution 3148541 MS16-040: Security Update for Microsoft XML Core Service to Address Remote Code Execution 3148789 MS16-041: Security update for the .NET Framework to address remote code execution: April 12, 2016 3148538 MS16-046: Security Update for Secondary Logon to Address Elevation of Privilege 3148527 MS16-047: Security Update for Security Account Manager Remote Protocol to Address Elevation of Privilege 3148528 MS16-048: Security Update for CSRSS to Address Remote Code Execution 3148795 MS16-049: Security Update for Internet Information Services (IIS) to Address Denial of Service After you've installed the update, Windows 10 will show it's at cumulative update 11, build 1511 OS version 10586.218. Or, as I like to call it, Windows 10.1.11. As promised, Office only had security patches this Tuesday; the nonsecurity patches came out last Tuesday. On the official list, I count 33 security patches today, covering Office 2016, 2013, 2010, 2007, 2003, SharePoint, OneDrive, Office for Mac, and various Office servers. Initial reports on the attempts to block the Win10 update using Microsoft tools and crowdsourced testing are positive, except for one poor soul (me) who took the final steps in the wrong order and wound up with the cumulative update installed automatically. Details tomorrow. Source: This month's patches: Badlock, an active exploit, Windows 10 version 10586.218 (InfoWorld - Woody Leonhard) Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted April 13, 2016 Administrator Share Posted April 13, 2016 Thread moved to Security and Privacy News. Link to comment Share on other sites More sharing options...
straycat19 Posted April 13, 2016 Share Posted April 13, 2016 Yep, Windows 10 The Most Secure Windows Ever, just another Microsoft lie. Microsoft's Motto: Patch, Patch the Patch, then Patch the patch that patched the patch. Best thing I ever did was turn off the damn patches. Link to comment Share on other sites More sharing options...
straycat19 Posted April 16, 2016 Share Posted April 16, 2016 The following comment by Honan from Sans exemplifies what many of us involved in security have been saying recently concerning the number of exploits that have been advertised and falsely create fear because the chance of being exploited is infinitesimal. The "BadLock" flaw is a prime example of how we as an industry cry wolf over security issues. Badlock came with its own logo, its own website, and a PR campaign for a number of weeks before it was launched, leading to much speculation over its impact. In the end, it was deemed as not a major issue. This kind of behaviour reflects badly on us as an industry and makes raising awareness of more genuine issues even more difficult. Source Link to comment Share on other sites More sharing options...
Batu69 Posted April 16, 2016 Share Posted April 16, 2016 Topic merged. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.