Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-648 on Wednesday, December 9th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
MS15-131 MS15-135
Extremely Difficult
MS15-124
No Known Exploit
MS15-125
MS15-126

MS15-128
MS15-129
MS15-130
MS15-132
MS15-134
MS15-133 MS15-127
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS15-124

Cumulative Security Update for Internet Explorer KB3116180

MS15-125

Cumulative Security Update for Microsoft Edge KB3116184

MS15-126

Cumulative Security Update for JScript and VBScript to Address Remote Code Execution KB3116178

MS15-127

Security Update for Microsoft Windows DNS to Address Remote Code Execution KB3100465

MS15-128

Security Update for Microsoft Graphics Component to Address Remote Code Execution KB3104503

MS15-129

Security Update for Silverlight to Address Remote Code Execution KB3106614

MS15-130

Security Update for Microsoft Uniscribe to Address Remote Code Execution KB3108670

MS15-131

Security Update for Microsoft Office to Address Remote Code Execution KB3116111

MS15-132

Security Update for Microsoft Windows to Address Remote Code Execution KB3116162

MS15-133

Security Update for Windows PGM to Address Elevation of Privilege KB3116130

MS15-134

Security Update for Windows Media Center to Address Remote Code Execution KB3108669

MS15-135

Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege KB3119075

MS15-124

This month, like almost every other, starts off with an Internet Explorer update. The is probably a great time to remind everyone that support for older versions of Internet Explorer ends on January 12, 2016. That means that this is the second last time you’ll get updates if you’re not upgraded to the latest Internet Explorer offering for your operating system.

One interesting note is that you’ll see quite a bit of overlap between the CVEs in MS15-124, MS15-125, and MS15-126, just because a CVE is fixed in multiple places doesn’t mean that any single patch will resolve the vulnerability. You need to make sure that you get the correct combination of patches for your environment. For example, if you’re a Windows 10 user and you see the phrase ‘Microsoft Browser’ instead of ‘Internet Explorer’ or ‘Microsoft Edge,’ then you have multiple affected products on your system.

MS15-125

Much of what was written for MS15-124 could be reiterated here. The most important point to note is that Edge does have it’s own unique vulnerabilities that should be patched.

MS15-126

JScript and VBScript have been patched frequently this year but in case you aren’t familiar with the drill just yet, keep in mind that users of Internet Explorer 7 need to install MS15-126, while users of IE 8 and later need to install MS15-124. The exception is Windows Server 2008 R2 users running Server Core; they also need to install MS15-126.

MS15-127

MS15-127 will be at the top of my patching list today. This is a true remote code execution vulnerability, one of those issues that has the possibility of being whispered in dark corners alongside the term ‘wormable’. In this case, a remote attacker could send a malicious request to a DNS server causing code execution to occur. If you have any Microsoft DNS Servers, especially if they’re publicly available, this vulnerability may want to be placed at the top of your list.

MS15-128

This is one of those bulletins where it’s almost easier to list products that aren’t included. Microsoft Windows, .Net Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight are all included in this bulletin. These bulletins are always a mess to sort out and enterprises without centrally managed patch deployment may find themselves struggling to ensure all patches are applied properly.

MS15-129

Even though we listed Silverlight in MS15-128, it’s got it’s own bulletin as well, MS15-129. It’s important to note that the update is the same for MS15-128 and MS15-129, so there’s only one update to install; the bulletin is split to properly account for the various vulnerabilities patched.

MS15-130

Up next, we have a vulnerability in Microsoft Uniscribe, a set of APIs related to typography in Microsoft Windows. Since we’re dealing with a vulnerability in font parsing, there are a number of attack vectors including embedded web fonts and Microsoft Office documents.

MS15-131

It’s rare to find a month without a Microsoft Office update, so it’s only natural that we should come across MS15-131. What is interesting, given the recent trend, is that SharePoint is not among the products updated. This should come as a welcome relief to SharePoint Administrators after several SharePoint updates in recent months.

MS15-132

Here we have a number of library loading vulnerabilities that affect all versions of Windows. While Microsoft states that a successful attack will lead to complete control of an affected system, they also state that running with reduced user rights will reduce the impact, meaning that fully system access is not guaranteed under systems with proper user privileges.

MS15-133

A race condition exists in the Windows Pragmatic General Multicast (PGM) protocol that could allow an attacker to escalate their privileges on a system. Most systems will not be vulnerable to this by default, as they will need MSMQ installed to introduce the vulnerability.

MS15-134

The penultimate update this month (and possibly the year) resolves a pair of vulnerabilities in Windows Media Center. This bulletin serves as a good reminder to disable any unused / unneeded protocol handlers (in this case, the mcl handler).

MS15-135

The final update this month addresses several elevation of privilege vulnerabilities in the Windows Kernel-Mode Drivers. This is a staple update lately and it was a surprise to see it at the end of the bulletin list this month.

Additional Details

Adobe has released APSB15-32 to address multiple vulnerabilities in Adobe Flash Player.

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Hacking Point of Sale
  • Nat

    My computer was set up with automatic Windows updates. When this KB3106614 (MS15-129) updated 2 nights ago, it erased everything from my computer! Everything! It was the most horrible feeling. I was able to do a system restore, but now I don’t want to accept any Windows updates.