Security Alert (A16-03-02): Multiple Vulnerabilities in Microsoft Products (March 2016)


 

Published on: 09 March 2016

  
  

Description:

Microsoft has released 13 security bulletins listed below addressing multiple vulnerabilities which affect several Microsoft products or components:

MS16-023    Cumulative Security Update for Internet Explorer
MS16-024    Cumulative Security Update for Microsoft Edge
MS16-025    Security Update for Windows Library Loading to Address Remote Code Execution
MS16-026    Security Update for Graphic Fonts to Address Remote Code Execution
MS16-027    Security Update for Windows Media to Address Remote Code Execution
MS16-028    Security Update for Microsoft Windows PDF Library to Address Remote Code Execution
MS16-029    Security Update for Microsoft Office to Address Remote Code Execution
MS16-030    Security Update for Windows OLE to Address Remote Code Execution
MS16-031    Security Update for Microsoft Windows to Address Elevation of Privilege
MS16-032    Security Update for Secondary Logon to Address Elevation of Privilege
MS16-033    Security Update for Windows USB Mass Storage Class Driver to Address Elevation of Privilege
MS16-034    Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege
MS16-035    Security Update for .NET Framework to Address Security Feature Bypass


Affected Systems:

  • Microsoft .NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1
  • Microsoft Edge
  • Microsoft Internet Explorer 9, 10, 11
  • Microsoft Office 2007, 2010, 2013, 2013 RT, 2016, Office for Mac 2011, 2016
  • Microsoft Office Compatibility Pack, Word Viewer
  • Microsoft Office Web Apps 2010, 2013
  • Microsoft SharePoint Server 2010, 2013
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2
  • Microsoft Windows Vista, 7, 8.1, RT 8.1, 10

A complete list of the affected products can be found in the section "Affected Software" in the Microsoft security bulletin summary available at:

https://technet.microsoft.com/library/security/ms16-mar


Impact:

Depending on the vulnerability exploited, a successful attack could lead to security restrictions bypass, elevation of privilege, arbitrary code execution and information disclosure.


Recommendation:

Patches for affected products are available from the Microsoft Update website. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

  • Microsoft Update
    http://update.microsoft.com/microsoftupdate

If any problem is encountered during the patch installation via automated methods, patches for various affected systems can also be downloaded individually from the "Affected and Non-Affected Software" section of the corresponding Microsoft Security Advisory and Bulletins which can be accessed from the URL(s) listed in the "More Information" section of this Security Alert.

End-of-Life Upgrade Notification for Internet Explorer

A new “End of Life” upgrade notification feature was delivered in the 12 January 2016 cumulative security update for Internet explorer (IE). This feature notifies users of IE8, IE9 and IE10 on Windows 7 SP1 and Windows Server 2008 R2 that their IE is end of life. The notification web page is displayed in an additional tab when the end of life IE is launched. This feature can be disabled by configuring a registry key. For more details, please refer to the below URL:

https://support.microsoft.com/en-us/kb/3123303

More Information:

https://technet.microsoft.com/en-us/library/security/ms16-mar
https://technet.microsoft.com/library/security/MS16-023
https://technet.microsoft.com/library/security/MS16-024
https://technet.microsoft.com/library/security/MS16-025
https://technet.microsoft.com/library/security/MS16-026
https://technet.microsoft.com/library/security/MS16-027
https://technet.microsoft.com/library/security/MS16-028
https://technet.microsoft.com/library/security/MS16-029
https://technet.microsoft.com/library/security/MS16-030
https://technet.microsoft.com/library/security/MS16-031
https://technet.microsoft.com/library/security/MS16-032
https://technet.microsoft.com/library/security/MS16-033
https://technet.microsoft.com/library/security/MS16-034
https://technet.microsoft.com/library/security/MS16-035
https://blogs.msdn.microsoft.com/ie/2014/08/07/stay-up-to-date-with-internet-explorer/
https://www.hkcert.org/my_url/en/alert/16030901 (to 16030913)
https://www.us-cert.gov/ncas/current-activity/2016/03/08/Microsoft-Releases-March-2016-Security-Bulletin
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0091 (to CVE-2016-0096)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0098 (to CVE-2016-0114)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0116 (to CVE-2016-0118)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0123 (to CVE-2016-0125)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0132 (to CVE-2016-0134)



Tag: .NET Framework , Edge , Internet Explorer , SharePoint , Windows Server , Windows , Microsoft , Microsoft Office
Tags