Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited.
The flaw is addressed in its own bulletin, MS16-053, but users need to pay attention to, and apply MS16-051 as well since the attack vector is through Internet Explorer.
MS16-051 addresses the issue in IE 9, 10 and 11; MS16-053 patches the flaw in IE 7 and earlier supported versions of the browser.
The flaw, CVE-2016-0189, is one of two memory corruption vulnerabilities in the scripting engines. Both enable arbitrary code execution if a victim, via IE, lands on an attacker’s site hosting the exploit; CVE-2016-0187 is the other flaw in the scripting engines patched today. Microsoft said the flaws exist because of how JScript and VBScript handle objects in memory in IE. VBScript 5.7 is vulnerable on Windows Vista, Windows Server 2008 and the Server Core installation option, while JScript 5.8 and VBScript 5.8 are vulnerable on Windows Server 2008 R2 for x64 Systems Service Pack 1 are vulnerable on the Server Core installation only.
Microsoft said that restricting access to VBScript.dll and JScript.dll would be effective and temporary workarounds.
The IE bulletin, meanwhile, patches three other vulnerabilities, including a bypass of Device Guard. The User Mode Code Integrity component improperly validates code integrity, Microsoft said, allowing an attacker to execute unsigned code that should be blocked.
There’s also a fix for a separate memory corruption issue in the browser allowing for arbitrary code execution, and an information disclosure flaw caused by the way IE handles file access permissions. An attacker could exploit this flaw too disclose the contents of files stored on the compromised machine.
In all, Microsoft pushed out 17 bulletins today, eight of those it rated critical, including a bulletin covering vulnerabilities in Flash Player, MS16-064, patching two dozen remote code execution flaws.
Another bulletin worth watching is MS16-054, which includes patches for four remote code execution flaws in Microsoft Office. In addition to Office, Microsoft cautioned that versions of Word going back to Office 2007 are vulnerable to CVE-2016-0198, one of three memory corruption flaws addressed in this bulletin. Users would have to be enticed to open a malicious Word document to exploit this flaw, Microsoft said. The remaining vulnerability is in Office Graphics, specifically in the way the Windows font library handles specially crafted embedded fonts. An attacker could exploit this over the web, or share the file with a user via email or IM, for example.
Microsoft also patched a critical remote code execution flaw in Windows Journal in MS16-056. An attacker could craft a malicious Journal file and trick the user into opening it in Windows Journal. The flaw affects every supported version of Windows.
MS16-055, meanwhile, patches five flaws in Microsoft Graphics Component, including three remote code execution flaws in Windows Imaging Component, Direct3D and Windows GDI component. The bulletin also includes two patches for information disclosure bugs in Windows GDI.
The final critical bulletin, MS16-057, patches one remote code execution bug in Windows Shell.
The remaining bulletins were rated important by Microsoft:
- MS16-058 patches one remote code execution vulnerability in Windows IIS; the bug is rated important because an attacker would need local access to exploit the issue.
- MS16-059 patches a remote code execution flaw in Windows Media Center that could be exploited via a malicious .mcl link.
- MS16-060 patches a vulnerability in Windows kernel that could be exploited by an attacker with local access installing a crafted, malicious application.
- MS16-061 patches a elevation of privilege flaw in Windows RPC if an attacker makes a malformed RPC request to the host machine.
- MS16-062 patches multiple vulnerabilities in Windows Kernel-Mode drivers, including a privilege escalation issue for an attacker with local access.
- MS16-065 patches an information disclosure flaw in the .NET Framework. An attacker would need to inject an attack into the target secure channel and then carry out a man-in-the-middle attack, Microsoft said.
- MS16-066 patches a Windows Virtual Secure Mode bypass vulnerability.
- MS16-067 patches a Windows Volume Manager Driver information disclosure flaw that can be exploited if a USB mounted over RDP via RemoteFX is not correctly configured to the user’s session.