VERT Threat Alert: November 2015 Patch Tuesday Analysis

Image

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-643 on Wednesday, November 11th. Ease of Use (published exploits) to Risk Table

MS15-112

Like almost every month, this month starts off with an Internet Explorer patch. Something that’s interesting in the naming this month is the vulnerabilities labeled ‘Internet Explorer Memory Corruption Vulnerability’ vs ‘Microsoft Browser Memory Corruption Vulnerability’. This small distinction is an easy way to tell if a vulnerability applies just to IE (MS15-112) or also to Edge (MS15-113).

MS15-113

The Edge update this month is relatively small containing just 4 CVEs, all of which are also included in MS15-112 and distinguished by the use of ‘Microsoft Browser’ in the name to show that both browsers are affected.

MS15-114

Once again, a vulnerability in Windows Journal is patched and once again we issue the same reminder. If you aren’t a regular user of the Windows Journal, apply the Microsoft mitigations, which include removing the .jnt file association, uninstalling journal, or denying access to the executable. Given the frequency of Journal updates recently, this small amount of effort could greatly improve your security hygiene.

MS15-115

Windows Kernel issues are as common as IE update at this point and the Adobe Type Manager Library is, once again, one of the culprits. Along with the browser updates, this should be at the top of your list.

MS15-116

Up next, we have the Office bulletin. Office, however, is not the most interesting aspect of this bulletin. This bulletin also includes updates to Skype for Business and Lync. These same platforms are also addressed in MS15-123. It should be noted that where the product versions overlap, so do the updates and the duplicated update does not need to be installed twice in those situations.

MS15-117

An elevation of privilege in NDIS is next on the list. This is the first time in quite a while that we’ve seen a vulnerability affecting NDIS, which may mean that it’s been overlooked and that researchers may look for other issues in the Network Driver Interface Specification in the near future.

MS15-118

MS15-118 resolves three vulnerabilities in .NET including a cross-site scripting vulnerability in ASP.NET and an ASLR bypass in the .NET Framework. The final vulnerability is a local file include vulnerability in the document type definition when parsing XML files.

MS15-119

Yet another privilege escalation vulnerability is resolved by MS15-119. This one affects Winsock.

MS15-120

Up next, we have a publicly disclosed IPSec Denial of Service vulnerability. A flaw in the service’s handling of encryption negotiation allows an attacker with valid credentials to connect to the listening service and render the server unresponsive.

MS15-121

Another publicly disclosed vulnerability is resolved by MS15-121. This one affects Schannel and other TLS implementations. The fix involves the implementation of RFC7627. To find out additional details, please read this blog post on The State of Security.

MS15-122

The penultimate update this month is a shortcoming in Kerberos. This flaw, a fault in the way the software checks a password change, could allow a user to bypass authentication and decrypt BitLocker protected drives.

MS15-123

The final bulletin this month resolves a vulnerability in Lync and Skype for Business. This is the update that shares packages with a portion of MS15-116. The attack is essentially a cross-site scripting attack within the messaging platform; allowing an attacker to browse to webpages, open conversations, and more.

Additional Details

Adobe has released APSB15-28 to address multiple vulnerabilities in Adobe Flash Player. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.