Today’s VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-703 on Wednesday, December 14th.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
 
 
MS16-144
MS16-145
 
 
 
No Known Exploit
MS16-152
MS16-153
MS16-155 
 
MS16-146
MS16-147
MS16-148
MS16-149
MS16-154
 
 
MS16-150
MS16-151
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

MS16-144Cumulative Security Update for Internet ExplorerKB3204059
MS16-145Cumulative Security Update for Microsoft EdgeKB3204062
MS16-146Security Update for Microsoft Graphics ComponentKB3204066
MS16-147Security Update for Microsoft UniscribeKB3204063
MS16-148Security Update for Microsoft OfficeKB3204068
MS16-149Security Update for Microsoft WindowsKB3205655
MS16-150Security Update for Secure Kernel ModeKB3205642
MS16-151Security Update for Windows Kernel-Mode DriversKB3205651
MS16-152Security Update for Windows KernelKB3199709
MS16-153Security Update for Common Log File System DriverKB3207328
MS16-154Security Update for Adobe Flash PlayerKB3209498
MS16-155Security Update for .NET FrameworkKB3205640

 

MS16-144

The final Patch Tuesday of 2016 starts with the ever-present Internet Explorer update. There are two interesting notes regarding today’s update. The first is that we have more than one patch. This is very rare for the IE updates and only evident due to the lack of servicing model changes on Windows Vista / Server 2008. The second update is for the Microsoft Windows Hyperlink Object Library. Secondly, CVE-2016-7281, which has been publicly disclosed, is fixed in this update. It resolves a Same Origin Bypass that exists when scripts are executed inside Web Workers, background JavaScript scripts.

  • CVE-2016-7282 was publicly disclosed.
  • CVE-2016-7281 was publicly disclosed.
  • CVE-2016-7202 was publicly disclosed.

MS16-145

The companion to MS16-144 is MS16-145, the monthly Microsoft Edge update. As is always the case, there are multiple overlapping CVEs between MS16-144 and MS16-145, which you can easily identify by looking for the phrase ‘Microsoft Browser’ rather than product-specific naming.

  • CVE-2016-7206 was publicly disclosed.
  • CVE-2016-7282 was publicly disclosed.
  • CVE-2016-7281 was publicly disclosed.

MS16-146

Up next, we have two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defense-in-depth changes that are not fully documented in the bulletin.

MS16-147

The fourth bulletin this month resolves a single vulnerability in Microsoft Uniscribe. Uniscribe is a set of APIs for the implementation of fine typography and complex script operations like bidirectional text rendering and contextual character shaping.

MS16-148

The monthly Microsoft office update contains the usual mix of desktop Office products and Office Web Apps. Keep in mind that Word Viewer is included in this update, a product that is commonly overlooked in the update process. Note that the GDI ASLR bypass (CVE-2016-7257) from MS16-146 is also patched in MS16-148.

MS16-149

Next on the list, we have a pair of vulnerabilities in Windows itself – an information disclosure vulnerability in the Crypto Driver and an elevation of privilege in the Windows Installer.

MS16-150

MS16-150 resolves a vulnerability that affects only Windows 10 and Server 2016 in Windows Secure Kernel Mode. Given the limited set of operating systems in this bulletin, the Microsoft note regarding Server 2016 becomes more evident – Microsoft notes that while updates are also available for Server 2016 Technical Preview 5, users should upgrade to the Server 2016 release version.

MS16-151

We’ve come to expect that an update for Windows Kernel-Mode Drivers is the standard on Patch Tuesday, It’s interesting though that this bulletin contains so few vulnerabilities compared to past bulletins. The past few bulletins for KMD have resolved more than 5 vulnerabilities apiece while this one contains only two fixes.

MS16-152

MS16-152 is a single kernel memory information disclosure vulnerability that occurs when the Windows kernel fails to properly handle some page fault system calls.

MS16-153

A single vulnerability in the Windows Common Log File System Driver has been reported and fixed with MS16-153. This is the second time we’ve seen the CLFS driver in a bulletin recently, with credit for this month’s vulnerability going to the same individual responsible for November’s bundle of CLFS driver vulnerabilities.

MS16-154

The penultimate this month (and maybe for the year) is the December Adobe Flash Player update, APSB16-39. This update resolves 17 vulnerabilities.

MS16-155

The final update of the month (and, perhaps, the year) is an information disclosure vulnerability in the .NET Framework, specifically in the Data Provider for SQL Server, which could allow access data protected by Always Encrypted technology. Always Encrypted is client-side technology that ensures data is never revealed to the SQL Server.

  • CVE-2017-7270 was publicly disclosed.

Additional Details

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.