Microsoft Patch Tuesday Tackles Tame Badlock Flaw

Much hyped “critical” Badlock flaw tamer than first thought, and only warrants “important” label

Microsoft’s Patch Tuesday security update for April has arrived and delivered the promised fix for the “critical” Badlock vulnerability.

The flaw was revealed by Samba developers late last month and it affects all Windows and Samba.

Big Bad Badlock?

Indeed, so serious was the flaw that the engineers took the unusual step of giving it its own website complete with a logo, in order to attract as much attention to the issue as possible.

Samba, in case you were wondering, is an open source implementation of the SMB/CIFS networking protocol used by Windows for providing shared access to files, printers, and serial ports and for communications between nodes on a network, and is built into many Unix and Linux systems.

Microsoft released a total of 13 bulletins for April Patch Tuesday; six of which are rated critical. In the end, Microsoft decided that the Badlock bulletin (MS16-047) was not as serious as first thought, and rated it only as “important”. It patches a Windows flaw that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack.

microsoft-patchSystem admins would be better advised to focus on the more critical updates it seems. Wolfgang Kandek, CTO, Qualys, pointed out in a blog posting that the out-of-band Adobe patch for Flash should gain attention, but that “Badlock seems to be tamer than expected.”

Kandek pointed out that Bulletin MS16-039 contains fixes for a graphics component with Windows and applies to all version starting with Vista to Windows 10 and Server 2008 to 2102R2. It also affects older Office versions 2007 and 2010, plus .NET, Skype and Lync.

Internet Explorer has been patched (MS16-037) as the most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The Edge browser has also had some attention (MS16-038), again to stop remote code execution.

“Microsoft Internet Explorer and Edge are patched in critical bulletins MS16-037 and MS16-038 respectively,” wrote Kandek. “Both have six vulnerabilities (this is a first that Edge has the same number as IE) and Edge actually has more serious problems than IE (also a first). None of the vulnerabilities are under attack currently.”

MS16-040 addresses a serious flaw with Microsoft XML Core Services.

“Next on our list is MS16-042, which addresses four flaws in Microsoft Office,” blogged Kandek. “Microsoft rates this bulletin as critical which is only happens when the vulnerability can be attacked directly without user interaction.” He suggest that businesses should consider banning RTF emails.

Cycle Change

There were also a number of non-critical vulnerabilities for system admins to consider this month.

Meanwhile Todd Schell, Product Manager at HEAT Software pointed out that Microsoft has finally executed on a change to its update cycle last week.

“Starting this month, the software maker will roll out non-security updates via Windows Update or WSUS on the first Tuesday of each month, while the security updates will remain the second Tuesday of each month, or Patch Tuesday, as normal,” wrote Schell.

“Whether this is good news for you and your team or not depends on your patching cycle but the overall intent was to make things a bit easier,” he added.

What do you know about privacy? Try our quiz!