Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-703 on Wednesday, December 14th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
 
 
MS16-144
MS16-145
 
 
 
No Known Exploit
MS16-152
MS16-153
MS16-155 
 
MS16-146
MS16-147
MS16-148
MS16-149
MS16-154
 
 
MS16-150
MS16-151
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-144 Cumulative Security Update for Internet Explorer KB3204059
MS16-145 Cumulative Security Update for Microsoft Edge KB3204062
MS16-146 Security Update for Microsoft Graphics Component KB3204066
MS16-147 Security Update for Microsoft Uniscribe KB3204063
MS16-148 Security Update for Microsoft Office KB3204068
MS16-149 Security Update for Microsoft Windows KB3205655
MS16-150 Security Update for Secure Kernel Mode KB3205642
MS16-151 Security Update for Windows Kernel-Mode Drivers KB3205651
MS16-152 Security Update for Windows Kernel KB3199709
MS16-153 Security Update for Common Log File System Driver KB3207328
MS16-154 Security Update for Adobe Flash Player KB3209498
MS16-155 Security Update for .NET Framework KB3205640

 

MS16-144

The final Patch Tuesday of 2016 starts with the ever-present Internet Explorer update. There are two interesting notes regarding today’s update. The first is that we have more than one patch. This is very rare for the IE updates and only evident due to the lack of servicing model changes on Windows Vista / Server 2008. The second update is for the Microsoft Windows Hyperlink Object Library. Secondly, CVE-2016-7281, which has been publicly disclosed, is fixed in this update. It resolves a Same Origin Bypass that exists when scripts are executed inside Web Workers, background JavaScript scripts.

  • CVE-2016-7282 was publicly disclosed.
  • CVE-2016-7281 was publicly disclosed.
  • CVE-2016-7202 was publicly disclosed.

MS16-145

The companion to MS16-144 is MS16-145, the monthly Microsoft Edge update. As is always the case, there are multiple overlapping CVEs between MS16-144 and MS16-145, which you can easily identify by looking for the phrase ‘Microsoft Browser’ rather than product-specific naming.

  • CVE-2016-7206 was publicly disclosed.
  • CVE-2016-7282 was publicly disclosed.
  • CVE-2016-7281 was publicly disclosed.

MS16-146

Up next, we have two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defense-in-depth changes that are not fully documented in the bulletin.

MS16-147

The fourth bulletin this month resolves a single vulnerability in Microsoft Uniscribe. Uniscribe is a set of APIs for the implementation of fine typography and complex script operations like bidirectional text rendering and contextual character shaping.

MS16-148

The monthly Microsoft office update contains the usual mix of desktop Office products and Office Web Apps. Keep in mind that Word Viewer is included in this update, a product that is commonly overlooked in the update process. Note that the GDI ASLR bypass (CVE-2016-7257) from MS16-146 is also patched in MS16-148.

MS16-149

Next on the list, we have a pair of vulnerabilities in Windows itself – an information disclosure vulnerability in the Crypto Driver and an elevation of privilege in the Windows Installer.

MS16-150

MS16-150 resolves a vulnerability that affects only Windows 10 and Server 2016 in Windows Secure Kernel Mode. Given the limited set of operating systems in this bulletin, the Microsoft note regarding Server 2016 becomes more evident – Microsoft notes that while updates are also available for Server 2016 Technical Preview 5, users should upgrade to the Server 2016 release version.

MS16-151

We’ve come to expect that an update for Windows Kernel-Mode Drivers is the standard on Patch Tuesday, It’s interesting though that this bulletin contains so few vulnerabilities compared to past bulletins. The past few bulletins for KMD have resolved more than 5 vulnerabilities apiece while this one contains only two fixes.

MS16-152

MS16-152 is a single kernel memory information disclosure vulnerability that occurs when the Windows kernel fails to properly handle some page fault system calls.

MS16-153

A single vulnerability in the Windows Common Log File System Driver has been reported and fixed with MS16-153. This is the second time we’ve seen the CLFS driver in a bulletin recently, with credit for this month’s vulnerability going to the same individual responsible for November’s bundle of CLFS driver vulnerabilities.

MS16-154

The penultimate this month (and maybe for the year) is the December Adobe Flash Player update, APSB16-39. This update resolves 17 vulnerabilities.

MS16-155

The final update of the month (and, perhaps, the year) is an information disclosure vulnerability in the .NET Framework, specifically in the Data Provider for SQL Server, which could allow access data protected by Always Encrypted technology. Always Encrypted is client-side technology that ensures data is never revealed to the SQL Server.

  • CVE-2016-7270 was publicly disclosed.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
<!-- -->