This month’s Patch Tuesday brings 13 bulletins for 29 unique CVEs, including fixes for the Badlock bug and three flaws currently being exploited in the wild.
Although eight CVEs are associated with Badlock, experts have largely concluded it is not as bad as expected – in fact, the bulletin assigned to it (MS16-047) is only rated “important” by Microsoft.
The main CVE associated with it – CVE-2016-0128 – is a man in the middle attack on specific RPC traffic, which should be patched “as soon as possible,” according to Trustwave threat intelligence manager, Karl Sigler.
“However, I can't say that this vulnerability rises to any level that deserves the focus that a dedicated website and three weeks of build-up have given Badlock,” he added.
“Researchers need to step back and look at their findings as sysadmins might, as an attacker might, because these celebrity vulnerabilities have become shiny objects drawing attention and resources away from more serious threats.”
Of the critical bulletins, two deserve special attention as they address zero day threats.
MS16-050 takes care of 10 bugs in Flash including the botched zero day CVE-2016-1019.
Meanwhile, MS16-039 is a critical update for Microsoft Graphics Component resolving four flaws.
“The two zero days are CVE-2016-0165 and CVE-2016-0167, and should be considered a high priority for you this month,” advised Shavlik product manager, Chris Goettl.
“Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.”
MS16-037 is a critical bulletin resolving six Internet Explorer-related CVEs, including the publicly disclosed CVE-2016-0160.
Admins should also note that Microsoft has now changed its update cycle.
“Starting this month, the software maker will roll out non-security updates via Windows Update or WSUS on the first Tuesday of each month, while the security updates will remain the second Tuesday of each month, or Patch Tuesday, as normal,” explained Heat Software product manager, Todd Schell.
“Whether this is good news for you and your team or not depends on your patching cycle but the overall intent was to make things a bit easier."