Microsoft has just released its security updates for May 2016. And they’re quite major! Two zero-days vulnerabilities have been disclosed, and they’re both crucial – one in Windows, and one in Adobe’s Flash Player. Security experts warn that the Windows flaw (CVE-2016-0189) is likely still being exploited, so installing the update fixing it shouldn’t be postponed for any reason.
According to Symantec, targeted attacks on South Korean websites have been carried out thanks to this vulnerability. As a total, the security bulletins are 16, 8 of which are rated “critical”. Another update concerning Flash Player will be released in a couple of days or so.
Overview of Microsoft Security Bulletin for May 2016
As already mentioned, 8 of the bulletins are critical, and the rest are important. There is an update for Internet Explorer and another one for Microsoft Edge, that patch issues associated with remote code execution. The other 6 critical patches address issues in Windows and Microsoft Office.
Here are the critical bulletins
MS16-051 Cumulative Security Update for Internet Explorer (3155533)
MS16-052 Cumulative Security Update for Microsoft Edge (3155538)
MS16-053 Cumulative Security Update for JScript and VBScript (3156764)
MS16-054 Security Update for Microsoft Office (3155544)
MS16-055 Security Update for Microsoft Graphics Component (3156754)
MS16-056 Security Update for Windows Journal (3156761)
MS16-057 Security Update for Windows Shell (3156987)
MS16-064 Security Update for Adobe Flash Player (3157993)
Considering their critical nature, it’s highly recommended Windows users install the bulletins immediately and restart their systems to apply them. Not installing them on time gives an opportunity to attackers to exploit them and perform various malicious activities on the system.
What about the bulletins rated “important”?
MS16-058 Security Update for Windows IIS (3141083)
MS16-059 Security Update for Windows Media Center (3150220)
MS16-060 Security Update for Windows Kernel (3154846)
MS16-061 Security Update for Microsoft RPC (3155520)
MS16-062 Security Update for Windows Kernel-Mode Drivers (3158222)
MS16-065 Security Update for .NET Framework (3156757)
MS16-066 Security Update for Virtual Secure Mode (3155451)
MS16-067 Security Update for Volume Manager Driver (3155784)
The important bulletins address the following issues: remote code execution, elevation of privilege, security feature bypass, and information disclosure. To learn more about the nature of the exploits in Windows, refer to the following article:
The Windows User Security Bible
More about CVE-2016-0189
This is definitely the most severe of all vulnerabilities fixed in May 2016’s security bulletin. In fact, the flaw is addressed in two bulletins: MS16-051 (3155533) and MS16-053 (3156764). Those are the fixes for Internet Explorer and the ones for Jscript and VBScript. CVE-2016-0189 still doesn’t have an official description published on MITRE’s website, and is currently “reserved”.
However, researchers at TrendMicro point out that the flaw is a memory corruption one that could allow remote code execution, as also visible by Microsoft’s descriptions. As for why it’s covered in two separate bulletins – it’s because in specified Windows versions the vulnerable scripting engine is packaged independently from the browser.