Microsoft released 13 bulletins for April Patch Tuesday today; 6 of which are rated critical. Thirty vulnerabilities have been addressed in total and the software impacted is widespread. Perhaps most importantly, there are also zero-days in the mix. To avoid compromise, IT should get these updates made quickly.
First on your list of priorities this month should be the security update for Adobe Flash. Microsoft lists the update as MS16-050 (and therefore it is counted in the total MS update count) yet it addresses fixes released Thursday by Adobe in APSB16-10. Of the 10 total CVEs in this update, CVE-2016-1019 has been under active exploit since last week.
MS16-039 is a critical fix for a graphics component within Windows. Because it contains zero-days currently targeted at 32-bit systems that could result in escalation of privilege, this one also takes top priority. It applies to all versions of Windows as well as Server 2008 to 2012.
Next on your update list should be the standard browser updates. MS16-037 is a critical, cumulative update for 6 CVEs in IE and likewise, the same number of critical vulnerabilities have been addressed for Edge in MS16-038. We are now seeing a steady cadence of Edge updates in addition to IE and this month, Edge seems harder hit in severity overall. If your users rely on either of these browsers, you should make these updates a priority.
MS16-040 is a critical update to the XML Core subsystem. In this vulnerability, the attacker could gain complete system control through a remote code execution, however user interaction is required. MS16-042 is another update you will want to pay attention to. Also rated critical, this updates patches four vulnerabilities in Office. The most severe (CVE-2016-0127) could allow a remote code execution if the user opens a malicious Office file.
Because ‘Badlock’ has been in the news, it’s interesting to note MS16-047. Microsoft rates it as important; it hasn’t proved as serious as originally thought. The Badlock exploit is covered by a number of CVEs, but primarily under CVE-2016-0128. Take note that these man-in-the-middle attacks and their respective fixes are getting more attention these days, in this case Badlock even has a nice logo to remember it by. If the bad guys are paying attention, you should too.
Finally, Microsoft executed on a change to their update cycle last week. Starting this month, the software maker will roll out non-security updates via Windows Update or WSUS on the first Tuesday of each month while the security updates will remain the second Tuesday of each month, or Patch Tuesday, as normal. Whether this is good news for you and your team or not depends on your patching cycle but the overall intent was to make things a bit easier. Let us know if you like the pattern change!