Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-648 on Wednesday, December 9th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
MS15-131 | MS15-135 | |||||
|
Extremely Difficult
|
MS15-124 | ||||||
|
No Known Exploit
|
MS15-125 MS15-126 MS15-128 MS15-129 MS15-130 MS15-132 MS15-134 | MS15-133 | MS15-127 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| Cumulative Security Update for Internet Explorer | KB3116180 | |
| Cumulative Security Update for Microsoft Edge | KB3116184 | |
| Cumulative Security Update for JScript and VBScript to Address Remote Code Execution | KB3116178 | |
| Security Update for Microsoft Windows DNS to Address Remote Code Execution | KB3100465 | |
| Security Update for Microsoft Graphics Component to Address Remote Code Execution | KB3104503 | |
| Security Update for Silverlight to Address Remote Code Execution | KB3106614 | |
| Security Update for Microsoft Uniscribe to Address Remote Code Execution | KB3108670 | |
| Security Update for Microsoft Office to Address Remote Code Execution | KB3116111 | |
| Security Update for Microsoft Windows to Address Remote Code Execution | KB3116162 | |
| Security Update for Windows PGM to Address Elevation of Privilege | KB3116130 | |
| Security Update for Windows Media Center to Address Remote Code Execution | KB3108669 | |
| Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege | KB3119075 |
MS15-124
This month, like almost every other, starts off with an Internet Explorer update. The is probably a great time to remind everyone that support for older versions of Internet Explorer ends on January 12, 2016. That means that this is the second last time you’ll get updates if you’re not upgraded to the latest Internet Explorer offering for your operating system. One interesting note is that you’ll see quite a bit of overlap between the CVEs in MS15-124, MS15-125, and MS15-126, just because a CVE is fixed in multiple places doesn’t mean that any single patch will resolve the vulnerability. You need to make sure that you get the correct combination of patches for your environment. For example, if you’re a Windows 10 user and you see the phrase ‘Microsoft Browser’ instead of ‘Internet Explorer’ or ‘Microsoft Edge,’ then you have multiple affected products on your system.
MS15-125
Much of what was written for MS15-124 could be reiterated here. The most important point to note is that Edge does have it’s own unique vulnerabilities that should be patched.
MS15-126
JScript and VBScript have been patched frequently this year but in case you aren’t familiar with the drill just yet, keep in mind that users of Internet Explorer 7 need to install MS15-126, while users of IE 8 and later need to install MS15-124. The exception is Windows Server 2008 R2 users running Server Core; they also need to install MS15-126.
MS15-127
MS15-127 will be at the top of my patching list today. This is a true remote code execution vulnerability, one of those issues that has the possibility of being whispered in dark corners alongside the term ‘wormable’. In this case, a remote attacker could send a malicious request to a DNS server causing code execution to occur. If you have any Microsoft DNS Servers, especially if they’re publicly available, this vulnerability may want to be placed at the top of your list.
MS15-128
This is one of those bulletins where it’s almost easier to list products that aren’t included. Microsoft Windows, .Net Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight are all included in this bulletin. These bulletins are always a mess to sort out and enterprises without centrally managed patch deployment may find themselves struggling to ensure all patches are applied properly.
MS15-129
Even though we listed Silverlight in MS15-128, it’s got it’s own bulletin as well, MS15-129. It’s important to note that the update is the same for MS15-128 and MS15-129, so there’s only one update to install; the bulletin is split to properly account for the various vulnerabilities patched.
MS15-130
Up next, we have a vulnerability in Microsoft Uniscribe, a set of APIs related to typography in Microsoft Windows. Since we’re dealing with a vulnerability in font parsing, there are a number of attack vectors including embedded web fonts and Microsoft Office documents.
MS15-131
It’s rare to find a month without a Microsoft Office update, so it’s only natural that we should come across MS15-131. What is interesting, given the recent trend, is that SharePoint is not among the products updated. This should come as a welcome relief to SharePoint Administrators after several SharePoint updates in recent months.
MS15-132
Here we have a number of library loading vulnerabilities that affect all versions of Windows. While Microsoft states that a successful attack will lead to complete control of an affected system, they also state that running with reduced user rights will reduce the impact, meaning that fully system access is not guaranteed under systems with proper user privileges.
MS15-133
A race condition exists in the Windows Pragmatic General Multicast (PGM) protocol that could allow an attacker to escalate their privileges on a system. Most systems will not be vulnerable to this by default, as they will need MSMQ installed to introduce the vulnerability.
MS15-134
The penultimate update this month (and possibly the year) resolves a pair of vulnerabilities in Windows Media Center. This bulletin serves as a good reminder to disable any unused / unneeded protocol handlers (in this case, the mcl handler).
MS15-135
The final update this month addresses several elevation of privilege vulnerabilities in the Windows Kernel-Mode Drivers. This is a staple update lately and it was a surprise to see it at the end of the bulletin list this month.
Additional Details
Adobe has released APSB15-32 to address multiple vulnerabilities in Adobe Flash Player. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
