This month has proven to be productive for both vulnerability researchers and software companies. Microsoft released 16 bulletins, half of which are critical and the other half important. Adobe also released three bulletins for their Acrobat, Reader and ColdFusion products, as well as an advisory for Flash Player. Additionally, a particularly malicious exploit was found in ImageMagick software.

On the Microsoft front, MS16-053 is a critical bulletin that affects Windows and includes a resolution for CVE-2016-0189 that was found to be exploited in the wild. The exploit allows user-level privileges through malicious website code. The vulnerability is in the JavaScript engine.

From a browser standpoint, MS16-051 and MS16-052 are critical and resolve vulnerabilities in Internet Explorer and Edge that allow remote code execution at user-level privileges. MS16-054, 055, and 056 round out the critical bulletins that address Microsoft Office, Journal and Graphics software. These also allow remote code execution through maliciously crafted documents and sites. MS16-064 is a critical bulletin for Adobe Flash Player and allows remote code execution on Windows 8.1 and 10, as well as Server 2012 and 2012 R2. All other Microsoft bulletins were rated important and affect RPC, .NET framework, Windows Kernel, and Media Center. Critical bulletins should be deployed immediately, followed quickly by the important bulletins.

Adobe’s largest bulletin, APSB16-14, addresses 82 vulnerabilities in Acrobat and Reader products, some of which allow for remote control and remote code execution, but is only rated a priority two. APSB16-16 is a hotfix for ColdFusion input validation errors and host name verification problems. The Adobe Security Advisory that pertains to Flash Player, APSA16-02, informs us that they will be patching the vulnerability that actually exists in the wild (CVE-2016-4117) in their monthly security update expected May 12.

A notable vulnerability exploited in the wild this week affects ImageMagick software. The vulnerability, named ImageTragick, allows remote code execution after a malicious MVG file is downloaded as a cleverly disguised JPG. Creative hackers were able to effectively exploit the vulnerability with a simple file, and then come back later to inject more malicious malware. In one instance, they were able to hide a Python program in a victim’s memory instead of on the disk to avoid detection.

If you have users that run ImageMagick, the manufacturer released updates to their two most recent versions (7.0.1-1 and 6.9.3-10) last week.

Resources

Skybox Vulnerability Center has documentation of all of these bulletins, advisories and the CVEs that they resolve. To learn more about Skybox Threat Manager and Skybox Vulnerability Control and how our solutions can help you analyze and prioritize exposures and fixes, visit our website.