Virtual Administrator’s April 2016 Patch Recommendations

13 Security Bulletins were released – 6 Critical, 7 Important, and 0 Moderate

This Month In Brief

We have not uncovered any widespread problems with any of these patches and are releasing all of them.

The top priority this month is MS16-039 for Microsoft Graphics Component and MS16-050 for Flash. MS16-039 is actively being exploited and unfortunately has a known issue (see below). Next in line would be MS16-042 addressing four flaws in Microsoft Office. After your next patch cycle completes you should follow up and make sure all of these are installed.

No out-of-band security updates were released during the last month.

Windows 10 cumulative updates are KB3147458 and KB3147461
Cumulative Update for Windows 10
https://support.microsoft.com/en-us/kb/3147461
Cumulative Update for Windows 10 Version 1511
https://support.microsoft.com/en-us/kb/3147458

Heads Up! MS16-039 “The Windows installer service could not be accessed.”
KB3114566 the patch specific to Office 2010

After you install this security update, you may receive an error message that resembles the following when you try to start an Office application:

“The Windows installer service could not be accessed.”

To resolve this problem, do one of the following:
-Option 1 On systems that have update 3139923 installed, make sure that update 3072630 is also installed.
-Option 2 Uninstall update 3139923.

This is identical to an issue reported with non-security update KB3114996
3114996 – Fixes race condition with Exchange Server
April 5, 2016, update for Outlook 2010 (KB3114996)
https://support.microsoft.com/en-us/kb/3114996

Notable news: Upcoming change to the release schedule for non-security updates

https://blogs.technet.microsoft.com/office_sustained_engineering/2016/03/28/upcoming-change-to-the-release-schedule-for-non-security-updates/

“Starting in April, the non-security updates will be released in Microsoft Update and the Windows Server Update Service (WSUS) on the first Tuesday of the month, which is April 5 in this case. This will include all updates that have the Critical or Definition classification. Updates with the Security classification will continue to release on second Tuesday as usual.

This change applies only to the MSI version of Office. Office Click-To-Run (C2R) will release on second Tuesday.”

Virtual Administrator’s policy is to release all patches on the first Friday following Patch Tuesday.

Exploitability

Requires Restart

  • Servers:True
  • Workstations:True

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS16-037 Cumulative Security Update for Internet Explorer (3148531) (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
Affected Software: Internet Explorer 9-11
Known Issues per MS:
MS16-038 Cumulative Security Update for Microsoft Edge (3148532) (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
Details
Affected Software: Edge
Known Issues per MS:
MS16-039 Security Update for Microsoft Graphics Component (3148522) (Microsoft .NET Framework, Office, Skype, Lync) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS: https://support.microsoft.com/en-us/kb/3148522
MS16-040 Security Update for Microsoft XML Core Services (3148541) (Microsoft Windows) The vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-042 Security Update for Microsoft Office (3148775) (Microsoft Office) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.
Details
Affected Software: Office 2007/2010/2013/2016, Office 2011/2016 for MAC, SharePoint Server 2007/2010/2013, Office Web Apps 2010/2013
Known Issues per MS: https://support.microsoft.com/en-us/kb/3148775
MS16-050 Security Update for Adobe Flash Player (3154132) (Adobe Flash Player) This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
Details
Affected Software: Windows 7/8.1/10, Server 2012/2012R2, Windows RT
Known Issues per MS:

IMPORTANT

MS16-041 Security Update for .NET Framework (3148789) (.NET Framework) The vulnerability could allow remote code execution if an attacker with access to the local system executes a malicious application.
Details
Affected Software: Vista, Windows 7, Server 2008/2008R2
Known Issues per MS:
MS16-044 Security Update for Windows OLE (3146706) (Microsoft Windows) The vulnerability could allow remote code execution if Windows OLE fails to properly validate user input.
Details
Affected Software: Vista, Windows 7/8.1, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-045 Security Update for Windows Hyper-V (3143118) (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code.
Details
Affected Software: Windows 7/8.1/10, Server 2012/2012R2
Known Issues per MS:
MS16-046 Security Update for Secondary Logon (3148538) (Microsoft Windows) An attacker who successfully exploited this vulnerability could run arbitrary code as an administrator.
Details
Affected Software: Windows 10
Known Issues per MS:
MS16-047 Security Update for SAM and LSAD Remote Protocols (3148527) (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack.
Details
Affected Software: Vista, Windows 7/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT 8.1
Known Issues per MS:
MS16-048 Security Update for CSRSS (3148528) (Microsoft Windows) The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.
Details
Affected Software: Windows 7/8.1/10, Server 2012/2012R2, Windows RT
Known Issues per MS:
MS16-049 Security Update for HTTP.sys (3148795) (Microsoft Windows) The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to a target system.
Details
Affected Software: Windows 10
Known Issues per MS:

MODERATE