Microsoft patches much-hyped Badlock bug

Microsoft's latest round of Patch Tuesday updates includes a patch for the hyped 'Badlock' vulnerability, although the information security community remains divided on how much of a threat the bug actually poses.

The  April Patch Tuesday update contained 13 entries, with six rated critical and another seven, including the BadLock bug, rated important.

The bulletins, which address 31 specific vulnerabilities, all deal with problems that could result in remote code execution, elevation of privilege, denial of service or a security feature bypass if left unpatched.

The critical-rated bulletins are MS16-037, MS16-038, MS16-039, MS16-040, MS16-042 and MS16-050 with each potentially allowing remote code execution.

While the BadLock bug grabbed many of the headlines on this Patch Tuesday, most industry insiders did not see it as Microsoft's most pressing problem.

“Although the bug on everyone's mind going into patch Tuesday has been BadLock, this should probably not be at the top of any patch priority index by a long shot.

"The top priority for Windows administrators should be to protect against vulnerabilities that can be exploited through web sites or documents. This means that IE/Edge, office, and graphics components should demand top attention especially since they all address flaws rated as more likely to be exploited," Tripwire researcher Craig Young said.

Qualys CTO Wolfgang Kandek noted that this batch of patches fixes two zero-day threats, included in bulletin MS16-039.

“The two 0-days are contained with the Windows portion and both allow for the escalation of privilege from a normal user to administrator. In real life they will be paired with an exploit for a vulnerability that gets the attacker on the machine such as the Flash Player flaw from APSB16-10 that Microsoft addresses in MS16-050,” Kandek said.

MS16-042 also drew Kandek's attention. This bulletins address four issues in Office and, in addition to applying the patches, he suggested administrators ban RTF emails from Outlook.

Lane Thomas, of Tripwire's Vulnerability and Exposure Research Team, called out bulletin MS16-049, rated important, as one system administrators should closely examine.

“What makes this bulletin interesting is that it addresses a vulnerability found within the HTTP 2.0 protocol stack. HTTP 2.0 is a very new protocol and I have personally been waiting to see new vulnerabilities in its implementation,” Thomas said.

The final patch that garnered industry attention was MS16-050 which addressed vulnerabilities in Flash Player. Adobe also issued a patch.

The makers of the open source Samba filesharing and directory server for Windows clients running on Unix and Linux have also issued a patch for Badlock.

The patch is for Samba versions 4.4.2, 4.3.8 and 4.2.11 and was created after several months of work by engineers at Microsoft and Samba, according to a statement posted on Badlock.org. 

Badlock (CVE-2016-2118) is a flaw in active directory authentication and domain security protocols. Attackers with a man-in-the-middle position on a network could exploit the vulnerability to get read and write access to the Security Account Manager (SAM) database, and discover user passwords and other sensitive information.

This article originally appeared at scmagazineus.com