Yesterday’s Patch Tuesday release fixes critical flaws affecting every version of Windows. This month’s bumper release of security patches has one bulletin that affects every supported version of Windows.
Craig Young, security researcher at Tripwire explains that the March bulletin should generally be straightforward to patch. Additionally, I have pasted some research into enterprise patch management from Tripwire which discloses that 50% of IT professionals are struggling to keep up with client-side patches.
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Cybersecurity Researcher at Tripwire :
“System administrators will be relieved that the March bulletin should be generally straightforward as it does not contain patches for any of the typically complex environments such as Exchange and Share Point. While it is still imperative that users deploy the patches as soon as possible, it is nice to see that none of the issues fixed this month were publicly disclosed or exploited ahead of the patch drop.
The most interesting patch this month would have to be MS16-033 which addresses a memory corruption bug within the Windows USB Mass Storage Class driver. What is interesting about this one is that the malicious USB device could be used to exploit even locked workstations where an attacker has temporary physical access. In contrast, the LNK vulnerability exploited by Stuxnet and patched in MS10-046 would require that a victim browse to a malicious folder to trigger code execution. Another big difference is that since MS16-033 is a driver vulnerability, it gives the attacker a direct path to code execution within the kernel as opposed to in the context of a logged-in user.
Additionally, the OpenType Font parsing vulnerabilities noted in MS16-026 provides an example of how enhanced security measures within Windows 10 are making a difference. Although all of the affected operating systems are prone to denial of service or code execution as a result of CVE-2016-0120 and CVE-2016-0121 respectively, Microsoft notes that the impact is not actually the same for Windows 10 systems compared with the older OS versions. In the case of the DoS attack, the Windows 10 architecture manages to limit the attack to a single affected application rather than the entire system. In the case of the code execution bug, an attacker might be able to take complete control over the system as opposed to under Windows 10 where code execution happens within an AppContainer sandbox process having limited privileges. This is a strong indication that Microsoft is extending its use of the usermode sandboxing technology introduced with Windows 8. AppContainer sandboxing is implemented within the kernel and can restrict access to things like local drives, registry keys, network sockets, and system calls.”[/su_note]
[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]