2016: Bad USB sticks, evil webpages, booby-trapped font files still menace Windows PCs
So update your software – now!
Patch Tuesday Microsoft has published the March edition of its monthly security updates, addressing security flaws in Internet Explorer, Edge and Windows, while Adobe has issued updates for Digital Editions, Acrobat and Reader.
Microsoft released 13 sets of patches for you to install as soon as possible:
- MS16-023 A cumulative update for Internet Explorer 9 through to 11 addressing 13 CVE-listed vulnerabilities, including remote code execution flaws. Visiting a booby-trapped webpage using IE can trigger the execution of malicious code and malware on the system.
- MS16-024 A cumulative update for Microsoft Edge that addresses 10 CVE-listed memory corruption vulnerabilities and one information disclosure flaw.
- MS16-025 An update for a single remote code execution vulnerability in Windows. This flaw only affects Windows Vista, Server 2008 and Server Core. "A remote code execution vulnerability exists when Microsoft Windows fails to properly validate input before loading certain libraries," says Redmond. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
- MS16-026 Two CVE-listed vulnerabilities in Windows Vista to Windows 10, one causing denial of service and another allowing remote code execution. If an attacker convinces "a user to open a specially crafted document, or to visit a webpage that contains specially crafted embedded OpenType fonts," then malicious code will execute on their system.
- MS16-027 Two CVE-listed vulnerabilities in Windows Media Parsing on Windows 7 to 10, both potentially allowing remote code execution. Visiting a webpage with a booby-trapped video embedded in it can exploit the bug to hijack the PC.
- MS16-028 Two flaws in the Windows PDF Library on Windows 8 and 10 that allow for remote code execution if you open a maliciously crafted document.
- MS16-029 An update for Office 2007 to 2016 for Mac addressing two memory corruption flaws and one security feature bypass vulnerability. Opening a document laced with bad code will trigger the bugs.
- MS16-030 An update for two remote code execution vulnerabilities in Windows OLE in Vista to Windows 10. "An attacker must convince a user to open either a specially crafted file or a program from either a webpage or an email message," noted Microsoft. After that, code execution is possible.
- MS16-031 An elevation of privilege vulnerability in Windows Vista to Server 2008 R2: applications can abuse handles in memory to gain administrator-level access.
- MS16-032 An elevation of privilege vulnerability in the Windows Secondary Logon Service: again, applications on Windows Vista to Windows 10 can abuse handles in memory to gain administrator-level access.
- MS16-033 An update to address a flaw in the Windows USB Mass Storage Class Driver that could allow attackers to gain administrator privileges with a specially crafted USB drive. This affects Windows Vista to Windows 10.
- MS16-034 A collection of four elevation of privilege flaws in the Windows Kernel-Mode Drivers: applications on Windows Vista to Windows 10 can exploit these to execute malicious code at the kernel level.
- MS16-035 A fix for one security feature bypass flaw in the .NET framework.
Adobe, meanwhile, has issued two updates for its products:
- Digital Editions for Windows, OS X, iOS and Android has been updated to patch a remote code execution vulnerability.
- Acrobat and Reader for Windows and OS X have been updated to address three CVE-listed remote code execution flaws.
- Users should also expect an update for unspecified vulnerabilities in Flash Player "in the coming days." ®