Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-703 on Wednesday, December 14th.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|
|
MS16-144 MS16-145 |
|
|
|
|
|
No Known Exploit
|
MS16-152MS16-153MS16-155 |
|
MS16-146 MS16-147 MS16-148 MS16-149 MS16-154 |
|
|
MS16-150 MS16-151 |
|
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
| MS16-144 | Cumulative Security Update for Internet Explorer | KB3204059 |
| MS16-145 | Cumulative Security Update for Microsoft Edge | KB3204062 |
| MS16-146 | Security Update for Microsoft Graphics Component | KB3204066 |
| MS16-147 | Security Update for Microsoft Uniscribe | KB3204063 |
| MS16-148 | Security Update for Microsoft Office | KB3204068 |
| MS16-149 | Security Update for Microsoft Windows | KB3205655 |
| MS16-150 | Security Update for Secure Kernel Mode | KB3205642 |
| MS16-151 | Security Update for Windows Kernel-Mode Drivers | KB3205651 |
| MS16-152 | Security Update for Windows Kernel | KB3199709 |
| MS16-153 | Security Update for Common Log File System Driver | KB3207328 |
| MS16-154 | Security Update for Adobe Flash Player | KB3209498 |
| MS16-155 | Security Update for .NET Framework | KB3205640 |
MS16-144
The final Patch Tuesday of 2016 starts with the ever-present Internet Explorer update. There are two interesting notes regarding today’s update. The first is that we have more than one patch. This is very rare for the IE updates and only evident due to the lack of servicing model changes on Windows Vista / Server 2008. The second update is for the Microsoft Windows Hyperlink Object Library. Secondly, CVE-2016-7281, which has been publicly disclosed, is fixed in this update. It resolves a Same Origin Bypass that exists when scripts are executed inside Web Workers, background JavaScript scripts.
- CVE-2016-7282 was publicly disclosed.
- CVE-2016-7281 was publicly disclosed.
- CVE-2016-7202 was publicly disclosed.
MS16-145
The companion to MS16-144 is MS16-145, the monthly Microsoft Edge update. As is always the case, there are multiple overlapping CVEs between MS16-144 and MS16-145, which you can easily identify by looking for the phrase ‘Microsoft Browser’ rather than product-specific naming.
- CVE-2016-7206 was publicly disclosed.
- CVE-2016-7282 was publicly disclosed.
- CVE-2016-7281 was publicly disclosed.
MS16-146
Up next, we have two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defense-in-depth changes that are not fully documented in the bulletin.
MS16-147
The fourth bulletin this month resolves a single vulnerability in Microsoft Uniscribe. Uniscribe is a set of APIs for the implementation of fine typography and complex script operations like bidirectional text rendering and contextual character shaping.
MS16-148
The monthly Microsoft office update contains the usual mix of desktop Office products and Office Web Apps. Keep in mind that Word Viewer is included in this update, a product that is commonly overlooked in the update process. Note that the GDI ASLR bypass (CVE-2016-7257) from MS16-146 is also patched in MS16-148.
MS16-149
Next on the list, we have a pair of vulnerabilities in Windows itself – an information disclosure vulnerability in the Crypto Driver and an elevation of privilege in the Windows Installer.
MS16-150
MS16-150 resolves a vulnerability that affects only Windows 10 and Server 2016 in Windows Secure Kernel Mode. Given the limited set of operating systems in this bulletin, the Microsoft note regarding Server 2016 becomes more evident – Microsoft notes that while updates are also available for Server 2016 Technical Preview 5, users should upgrade to the Server 2016 release version.
MS16-151
We’ve come to expect that an update for Windows Kernel-Mode Drivers is the standard on Patch Tuesday, It’s interesting though that this bulletin contains so few vulnerabilities compared to past bulletins. The past few bulletins for KMD have resolved more than 5 vulnerabilities apiece while this one contains only two fixes.
MS16-152
MS16-152 is a single kernel memory information disclosure vulnerability that occurs when the Windows kernel fails to properly handle some page fault system calls.
MS16-153
A single vulnerability in the Windows Common Log File System Driver has been reported and fixed with MS16-153. This is the second time we’ve seen the CLFS driver in a bulletin recently, with credit for this month’s vulnerability going to the same individual responsible for November’s bundle of CLFS driver vulnerabilities.
MS16-154
The penultimate this month (and maybe for the year) is the December Adobe Flash Player update, APSB16-39. This update resolves 17 vulnerabilities.
MS16-155
The final update of the month (and, perhaps, the year) is an information disclosure vulnerability in the .NET Framework, specifically in the Data Provider for SQL Server, which could allow access data protected by Always Encrypted technology. Always Encrypted is client-side technology that ensures data is never revealed to the SQL Server.
- CVE-2016-7270 was publicly disclosed.
Additional Details
As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
