Patch Tuesday has arrived and we've been treated to an odd array of fixes. The SANS Internet Storm Center lists 13 security bulletins, only one of which, MS 16-039/KB 3148522, has a known exploit. In addition, we discovered the big secret behind the Badlock patch -- you may yawn now -- and found that a surprisingly large percentage of the security problems appear in Windows 10.
First, the actively exploited security hole: You probably won't believe this (at least, I didn't), but the bug is related to the way fonts are handled inside the Windows kernel ... again.
We saw similar problems in Aug 2014's KB 2982791 (that patch was pulled and re-released), February 2015's KB 3013455 (that patch was pulled and re-released), and July 2015's KB 3077657 (that patch was ... you get the idea). No doubt there were other high-priority font-in-the-kernel security patches in the past few years that crashed and burned. Nudge my memory in the comments or on AskWoody.com.
The vulnerability affects all covered versions of Windows, plus .Net, Skype for Business 2016, Lync 2013, and Lync 2010. Microsoft lists 17 additional KB articles that describe the problem for each affected system. My recommendation: Wait and see if KB 3148522 fares as poorly as its predecessors. It's one more reason to avoid Skype, as if you needed another.
Big bad Sad ... er, Badlock, MS 16-047/KB 3148527 arrived with a whimper. The hype was unprecedented, including a fancy "celebrity" name and dedicated website. Many people honestly believed that the Internet would come to a screeching halt shortly after details of the bug were released.
You're here now, so I guess that didn't happen.
Here's the part that concerns me the most: Windows 10 took a belly hit. While Win7 came in for three critical patches and one important patch, and Windows 8.1 was involved in three critical and three important patches, Win10 brought home the prize with four critical and four important patches.
Microsoft has released its latest changelog for Windows 10 (yessss!), and it describes "quality improvements and security fixes. No new operating system features are being introduced in this update." The list includes many innocuous fixes, but the meat comes in the summary of KB 3147458. That summary says the cumulative update "resolves the following vulnerabilities in Windows:
- 3148531 MS16-037: Cumulative Security Update for Internet Explorer
- 3148532 MS16-038: Cumulative Security Update for Microsoft Edge: May 10, 2016
- 3148522 MS16-039: Security Update for Microsoft Graphics Component to Address Remote Code Execution
- 3148541 MS16-040: Security Update for Microsoft XML Core Service to Address Remote Code Execution
- 3148789 MS16-041: Security update for the .NET Framework to address remote code execution: April 12, 2016
- 3148538 MS16-046: Security Update for Secondary Logon to Address Elevation of Privilege
- 3148527 MS16-047: Security Update for Security Account Manager Remote Protocol to Address Elevation of Privilege
- 3148528 MS16-048: Security Update for CSRSS to Address Remote Code Execution
- 3148795 MS16-049: Security Update for Internet Information Services (IIS) to Address Denial of Service
After you've installed the update, Windows 10 will show it's at cumulative update 11, build 1511 OS version 10586.218. Or, as I like to call it, Windows 10.1.11.
As promised, Office only had security patches this Tuesday; the nonsecurity patches came out last Tuesday. On the official list, I count 33 security patches today, covering Office 2016, 2013, 2010, 2007, 2003, SharePoint, OneDrive, Office for Mac, and various Office servers.
Initial reports on the attempts to block the Win10 update using Microsoft tools and crowdsourced testing are positive, except for one poor soul (me) who took the final steps in the wrong order and wound up with the cumulative update installed automatically. Details tomorrow.