May 2016 Patch Tuesday Fixes Browser and Scripting Engine Flaws

The second Tuesday of the month has arrived which means the arrival of regularly scheduled patches from Microsoft and other vendors. This month’s release includes sixteen bulletins from Microsoft, as well as an update from Adobe for their PDF-related application. A separate update for Flash Player will arrive later this week.

Of the sixteen Microsoft bulletins, eight are rated Critical. There is one bulletin each for Internet Explorer and Edge; these fix several issues in these browsers that could lead to remote code execution. The remaining six Critical bulletins cover a variety of Windows components as well as Microsoft Office.

The most critical vulnerability fixed is CVE-2016-0189, which is actually covered in two separate bulletins: MS16-051 (the cumulative Internet Explorer bulletin) and MS16-053 (covering both JScript and VBScript scripting engines). This particular flaw is a memory corruption vulnerability that could allow for remote code execution. Exploits have already been found in the wild; it is covered twice because in certain Windows versions the vulnerable scripting engine is also packaged separately from the browser.

The remaining eight bulletins are rated as Important and also cover a range of Microsoft products, from Windows IIS (the web server) to Windows Media Center.

As for Adobe, APSB16-14 contains fixes for their current PDF-related products – both the newest version (Acrobat DC/Acrobat Reader DC) and the previous version, (Acrobat/Reader). A total of 97 separate vulnerabilities were fixed.

More worryingly, they also released APSA16-02, which notified users that a vulnerability (CVE-2016-4117) is present in current versions of Flash Player and is being exploited in the wild. A fix is expected by May 12.

Users are highly recommended to apply all these patches as soon as possible.

Trend Micro solutions

Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may leverage these Microsoft vulnerabilities via the following DPI rules:

1007537-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2016-0120)
1007612-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-0187)
1007613-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-0189)
1007614-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2016-0192)
1007615-Microsoft Edge Memory Corruption Vulnerability (CVE-2016-0191)
1007616-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-0193)
1007617-Microsoft Office Memory Corruption Vulnerability (CVE-2016-0126)
1007618-Microsoft Office Memory Corruption Vulnerability (CVE-2016-0140)
1007619-Microsoft Office Graphics RCE Vulnerability (CVE-2016-0183)
1007620-Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2016-0168)
1007621-Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2016-0169)
1007622-Microsoft Windows Graphics Component RCE Vulnerability (CVE-2016-0170)
1007623-Microsoft Windows Direct3D Use After Free Vulnerability (CVE-2016-0184)
1007624-Microsoft Windows Media Center Remote Code Execution Vulnerability (CVE-2016-0185)

The following rules cover the vulnerabilities in Adobe products:

1007629-Adobe Acrobat And Reader Integer Overflow Vulnerability (CVE-2016-1043)
1007630-Adobe Acrobat And Reader Memory Corruption Vulnerability (CVE-2016-1063)
1007631-Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2016-1065)
1007632-Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2016-1070)
1007633-Adobe Acrobat And Reader Memory Corruption Vulnerability (CVE-2016-1073)

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

May 2016 Patch Tuesday Fixes Browser and Scripting Engine Flaws