Patch Tuesday Microsoft has posted the April edition of its monthly security update, which kills a bug that allows guests to escape to hosts on Hyper-V.
A malicious app running in a virtual machine can exploit this flaw to drill down to the host server, execute code on the machine, and interfere with the system and other VMs. Which is bad.
This month's patches also splat remote code execution bugs in Office, Internet Explorer, Edge and Skype. In total, Microsoft has posted 13 bulletins addressing a total of 40 CVE-listed security vulnerabilities.
- MS16-045 This one will be a major headache for those who run and host virtual machines on Hyper-V. A flaw in the hypervisor could allow a "guest" instance to access the host system and execute code, in addition to infecting the host system or accessing data from other hosted instances.
- MS16-037 A cumulative update for Internet Explorer that addresses six flaws, including remote code execution vulnerabilities that can be exploited by loading a malicious web page.
- MS16-038 A cumulative update for the Edge browser that, like the IE fix, patches six vulnerabilities, including remote code execution from malicious web pages.
- MS16-039 A patch to address a remote code execution flaw present in Windows, .NET Framework, Office, Skype for Business, and Microsoft Lync. According to Microsoft, the vulnerability "could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts."
- MS16-040 A single flaw in the XML Core Services component in Windows that allows an attacker to take control of a system by convincing the user to click a link "typically by way of an enticement in an email or Instant Messenger message."
- MS16-041 A remote code execution bug in the .NET Framework that allows an attacker who already has access to the local system to install and execute a malicious application.
- MS16-042 Four memory corruption vulnerabilities in Office that allow an attacker to remotely execute code by convincing the user to open a malicious Office file. One of the flaws also affects Office for Mac, meaning Apple users will need to patch their software as well.
- MS16-044 A vulnerability in Windows OLE that allows an attacker to remotely execute code by convincing the target to open "either a specially crafted file or a program from either a webpage or an email message."
- MS16-046 A flaw in the Windows Secondary Logon that allows an attacker to elevate their user privilege level to Administrator.
- MS16-047 A "man in the middle" flaw in the Windows Security Account Manager and Local Security Authority Domain components that allows an attacker with access to network traffic the ability to downgrade security controls and then impersonate the user – aka the Badlock bug.
- MS16-048 A vulnerability in Windows CSRSS that potentially allows an attacker to bypass security credentials and gain administrator access by exploiting a flaw in the way CSRSS handles memory tokens.
- MS16-049 A denial of service vulnerability in Windows that allows an attacker to freeze a targeted machine just by sending a malicious HTTP packet.
- MS16-050 A cumulative update for Flash Player addressing a total of 10 security bugs, including remote code execution flaws.
Additionally, Microsoft has posted a security advisory for an update that closes a vulnerability allowing a USB wireless mouse to input keyboard strokes on Windows machines. ®