Microsoft Patch Tuesday Summary for May 2016

Published: 2016-05-10
Last Updated: 2016-05-10 17:21:23 UTC
by Alex Stanford (Version: 1)
5 comment(s)

https://isc.sans.edu/mspatchdays.html?viewday=2016-05-10

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Keywords:
5 comment(s)

Comments

Does anyone have details for the known exploits against MS16-053? The same two CVE's are listed for the cumulative IE update (MS16-051). But, the patch is rated as having no known exploits. Is there an error? (Greatly appreciate all of the help this site provides, btw.)
Hi,

on the Microsoft Security Bulletin Summary for May 2016, CVE 2016-0189 (from MS16-051) is listed with "0 - Exploitation Detected".
Maybe a typo on the ISC page?

KH
[quote=comment#37049]Does anyone have details for the known exploits against MS16-053? The same two CVE's are listed for the cumulative IE update (MS16-051). But, the patch is rated as having no known exploits. Is there an error? (Greatly appreciate all of the help this site provides, btw.)[/quote]
The exploit for MS16-053 is not publicly disclosed. The exploited CVE in MS16-053 is CVE-2016-0189. The fact that the same CVEs are seen in both MS16-051 and MS16-053 is not a typo.

[quote=comment#37055]Hi,

on the Microsoft Security Bulletin Summary for May 2016, CVE 2016-0189 (from MS16-051) is listed with "0 - Exploitation Detected".
Maybe a typo on the ISC page?

KH[/quote]

CVE-2016-0189 is a "0 - Exploitation Detected" for MS16-053, not MS16-051. A bit confusing I know, but it is not a typo.
[quote=comment#37057]

CVE-2016-0189 is a "0 - Exploitation Detected" for MS16-053, not MS16-051. A bit confusing I know, but it is not a typo.[/quote]

I Guess the note of NO for exploits detected on MS16-051 is what is confusing me. Shouldn't that be YES?

Alternatively, have there only been reported exploits of the JScript and VBScript vuls on Vista/Server2008 and that's why the note for exploits on MS16-051 say No?
isn't there something fishy with MS16-64 (Flash Player) ?

Adobe released an advisory APSA16-02 https://helpx.adobe.com/security/products/flash-player/apsa16-02.html with no patch available at this time of writing (associated APSB coming up next on May 12th)

But Microsoft released updates for Flash.

April https://support.microsoft.com/en-us/kb/3154132 --> Flash 21.0.0.213
May https://support.microsoft.com/en-us/kb/3157993 --> Flash 21.0.0.241

The latter is not referenced by Adobe though http://www.adobe.com/software/flash/about/

So obviously MS updated their code prior to Adobe themselves

Diary Archives