January Patch Tuesday: Support Ends for Windows 8, Limited for Older IE Versions; 17 Adobe Flaws Resolved

The life cycle of Windows 8, the first operating system Microsoft intended for both desktop and mobile use, has ended. After this January 2016 Patch Tuesday release, users who have not yet updated/upgraded to Windows 8.1 (which was made available in late 2013) or Windows 10 will stop receiving updates. Updating to Windows 8.1 or 10 is currently free for Windows 8 users. This particular end of support should not be a surprise: once a service pack (in this case, Windows 8.1) is released, users have approximately 24 months to upgrade before support ends.

Older versions of Internet Explorer will also receive limited support from Microsoft. From now on, only the “most current version” of IE for a particular version of Windows will receive updates. For most end users, this means Internet Explorer 11. (The specifics of which version is supported for each Windows version is posted as part of Microsoft’s Support Lifecycle page.)

Internet Explorer and Windows were listed among the affected software patched in the latest Microsoft release. Out of the nine patches, six were tagged as critical while the rest were tagged as important. One of them, MS16-001 addresses a critical flaw in Internet Explorer which attackers can use to install programs, edit data, or create new accounts with full user rights. MS16-002 also resolves a browser vulnerability, this time in Microsoft Edge, which can allow attackers to gain the same user rights as the current user.

The other vulnerabilities affect Windows (MS16-003MS16-005MS16-007, MS16-008), Visual Basic (MS16-004), Silverlight (MS16-006), and Exchange Server ((MS16-010).

Adobe also resolved 17 flaws for Adobe Acrobat and Reader in a separate bulletin. All of these updates address critical vulnerabilities, which, if left unpatched, can allow attackers to take control of affected systems.

Updating software and systems with the latest patches from Adobe and Microsoft is strongly advised.

Trend Micro Solutions

Trend Micro Deep Security and Vulnerability Protection defend user systems from threats that may leverage these vulnerabilities with the following DPI rules:

  • 1007362 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-0002)
  • 1007363 – Microsoft Internet Explorer Same Origin Policy Bypass Vulnerability (CVE-2016-0005)
  • 1007364 – Microsoft Windows ASLR Bypass Vulnerability (CVE-2016-0008)
  • 1007366 – Microsoft Silverlight Runtime Remote Code Execution Vulnerability (CVE-2016-0034)
  • 1007368 – Microsoft DirectShow Heap Corruption Vulnerability (CVE-2016-0015)
  • 1007369 – Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
  • 1007370 – Microsoft Windows DLL Loading Vulnerabilities Over WebDAV (MS16-007)
  • 1007372 – Microsoft Edge Memory Corruption Vulnerability (CVE-2016-0003)
  • 1007373 – Microsoft Office Memory Corruption Vulnerability (CVE-2016-0010)
  • 1007374 – Microsoft Office ASLR Bypass Vulnerability (CVE-2016-0012)
  • 1007375 – Microsoft Office Memory Corruption Vulnerability (CVE-2016-0035)
  • 1007378 – Microsoft Edge Memory Corruption Vulnerability (CVE-2016-0024)

Update as of January 12, 2016, 3:30 P.M. PST

We have updated this entry to add information on the applicable Trend Micro solutions.

Read more: January Patch Tuesday: Support Ends for Windows 8, Limited for Older IE Versions; 17 Adobe Flaws Resolved

Story added 12. January 2016, content source with full text you can find at link above.