VERT Threat Alert: November 2016 Patch Tuesday Analysis

Image

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-698 on Wednesday, November 9th.

Ease of Use (published exploits) to Risk Table

MS16-129

Unlike every other month, this month’s bulletin list starts with the cumulative update for Microsoft Edge. The traditional first bulletin, Internet Explorer, comes last this month, possibly due to the Flash Out-of-Band released in late October causing a shift in bulletin IDs. This bulletin contains a number of CVEs shared with Internet Explorer’s MS16-142, a number of scripting engine updates, and a pair of Edge-only vulnerabilities, one of which is related to the parsing of HTTP responses. CVE-2016-7209 was publicly disclosed. CVE-2016-7199 was publicly disclosed.

MS16-130

The second bulletin this month fixes three unassociated vulnerabilities in Microsoft Windows. This incudes a potential drive-by attack vector in image parsing and a pair of privilege escalation vulnerabilities in the Windows Input Method Editor and Task Scheduler. The Task Scheduler change requires hardened UNC paths be used for scheduled tasks, which means that existing scheduled tasks should be reviewed after applying the patch for any potential errors.

MS16-131

Up next, we have a single vulnerability in the Microsoft Video Control, which could allow code execution via a malicious file. One of the more important notes here is that the Outlook Preview Pane is also affected increasing the risk for this vulnerability.

MS16-132

MS16-132 contains fixes for 4 vulnerabilities affecting Microsoft Graphics Components. In addition to information disclosure and code execution in the context of the user, this bulletin resolves two vulnerabilities that could lead full control of the affected system. CVE-2016-7256 has been exploited.

MS16-133

This month’s Office bulletin resolves vulnerabilities affecting Microsoft Word, Excel, and PowerPoint, as well as, vulnerabilities in Excel and Word services on SharePoint and Office Web Apps Server. The bulk of the vulnerabilities here will lead to code execution in the context of the current user, however there’s also information disclosure and denial of service vulnerabilities in the list.

MS16-134

With MS16-134, we have a number of privilege escalation vulnerabilities affecting the Windows Common Log File System (CLFS) drivers. CLFS provides user-mode logging services via the Windows SDK and kernel-mode logging services via a driver; this vulnerability affects the kernel-mode logging services meaning successful exploitation of these vulnerabilities could allow attackers to run code in a higher context.

MS16-135

The Windows Kernel-Mode Drivers update has been a frequently seen bulletin for the past few years and we see it again this month, with 5 vulnerabilities resolved by this bulletin, two information disclosure issues and three privilege escalations. According to Microsoft, CVE-2016-7255, which was exploited in the wild, was mitigated for users running the Windows 10 Anniversary Update. CVE-2016-7255 has been publicly disclosed and exploited.

MS16-136

One of the more complex releases this month is the SQL Server update. The bulletin contains a table directing you to the correct update based on your running SQL Server version. Ensure that you double-check that you have the correct update, as there are four updates that apply to SQL Server 2012, four for SQL Server 2014, and two for SQL Server 2016. These vulnerabilities impact the SQL Server database engine, MDS API, SQL Analysis Services, and the SQL Server agent. This bulletin also represents the first time we’ve seen a bulletin numbered 136 and solidifies 2016 as the year with the most published Microsoft Security Bulletins.

MS16-137

Up next, we have the Windows Authentication methods bulletin, which resolves vulnerabilities in the Windows NTLM password change cache, LSASS, and the Windows Virtual Secure Mode. Interestingly the Windows 10 release only affects the release version of Windows 10 and not the 1511 or 1607 updates.

MS16-138

Multiple Windows Virtual Hard Disk Driver vulnerabilities are resolved by MS16-138, which could allow an attacker to manipulate files that they should not be able to access.

MS16-139

MS16-139 resolves a single Windows Kernel vulnerability that affects Windows Vista, 7, Server 2008, and Server 2008 R2.

MS16-140

This is one of the more interesting bulletins this month, with a firmware update to protect against a Windows Secure Boot bypass. It is interesting to note that this vulnerability is resolved by revoking boot policies in the firmware but those policies may vary depending on the platform. There are two levels of protection, ‘baseline’ and ‘enhanced’. Systems that only obtain baseline protection should consult their OEM to see if additional firmware updates are available.

MS16-141

The penultimate update this month is Adobe Flash update. While normally the last update, the shifting of IE to the last bulletin has moved this one to second last. This bulletin addresses the vulnerabilities resolved by APSB16-37.

MS16-142

The final bulletin this month resolves a number of Internet Explorer vulnerabilities including many of the same CVEs we saw referenced in our first bulletin, MS16-129. In addition to those fixes, a fix for the XSS Filter regular expression handler has been included.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.