Software

Windows 10 shattered Remote Desktop's security defaults – so get patching

All users of Windows, Office, and Adobe software, should update ASAP

Microsoft has issued its January batch of security updates – including what will be the final round of patches for many versions of Internet Explorer.

The first Patch Tuesday monthly security release of the year includes fixes for 25 CVE-listed flaws in Windows, Internet Explorer, Edge, and Office. Among the patched bugs are remote code execution vulnerabilities, elevation of privilege holes, and a spoofing vulnerability.

Microsoft reckons no one is actively exploiting the security vulnerabilities addressed in this month's patch bundle, but it's only a matter of time before criminals reverse-engineer the updates and target them.

Here's the list of updates you should install – and watch out for sneaky downloads that enable the Windows 10 nagware:

  • MS16-007 addresses six CVE-listed bugs, including a flaw in Remote Desktop Server on Windows 10 that would allow an attacker to remotely log into password-less accounts, which would normally be blocked. By default, Windows should prevent Remote Desktop access to password-less profiles, but somewhere along the line, Windows 10 started allowing access to unprotected accounts, which would have caught some IT admins with their pants down. Now Redmond has gone back to the usual default of blocking Remote Desktop to password-less users.
  • MS16-001 is a cumulative security update for Internet Explorer, and the last update for most desktop versions of IE. Two CVE-listed flaws are addressed in the update, including one that can be exploited by a malicious webpage to execute code on a vulnerable machine.
  • MS16-002 is a cumulative update for the Edge browser in Windows 10. The update fixes a pair of security cockups in Edge that could be targeted in remote code execution attacks.
  • MS16-003 updates JScript and VBScript to protect against a remote code execution flaw that could be exploited on Windows Vista or Server 2008 installations that still run IE 7.
  • MS16-004 addresses two remote code execution vulnerabilities, and a security bypass flaw in Office 2007, 2010, 2013, 2013 RT, 2016, and Office for Mac 2011 and 2016. Opening a booby-trapped document could trigger the execution of malware hidden in the file.
  • MS16-005 is a fix for two CVE-listed flaws in Windows, one which could allow remote code execution and another which could lead to elevation of privilege. The remote code execution bug (CVE=2016-0009) is considered a higher risk for Windows Vista, Windows 7 and Windows Server 2008.
  • MS16-006 will patch one vulnerability in Silverlight allowing for remote code execution via a malicious webpage. Mac users running Silverlight are also vulnerable and should update the plugin for OS X.
  • MS16-008 is an update for two CVE-listed elevation of privilege flaws in the Windows kernel. All supported versions of Windows and Windows Server are subject to the fix.
  • MS16-010 fixes four CVE-listed spoofing bugs in Exchange Server 2013 and 2016.

In addition to Microsoft's patch bundle, Adobe has issued its monthly update for flaws in its Acrobat and Reader software. A total of 17 CVE-listed security bugs are patched for both OS X and Windows.

Of the 17 bugs addressed by Adobe this month, five are use-after-free remote code execution attacks, nine allow remote code execution from memory corruption, one allows remote code execution by way of a double-free condition, one allows remote code execution through a directory search path in Adobe Download Manager, and another allows an attacker to bypass JavaScript API security restrictions.

Both Windows and OS X users and administrators should install the Adobe update. ®

Sponsored: The world has changed, has your IAM strategy?