Authored by Debra Littlejohn Shinder
Along with 14 patches, Microsoft introduced a new Security Update Guide web site, as the new location for information on security vulnerabilities.
This month's Patch Tuesday was also election day in the U.S. and I imagine for once, IT pros are actually happy to see a big load of security updates released – it's something to take our mind off the culmination of this contentious campaign season.
Along with the fourteen patches released today, the Microsoft Security Response Center (MSRC) team published a blog post that introduces the new Security Update Guide web site, which the company sees as the "new single destination for security vulnerability information."
It's in preview now, and the Microsoft Security Bulletin site is still operational, so if you're one of many who don't like change, you can still access the information in the traditional way – at least for a few months. After January 2017, the information about the security fixes will no longer be published to the Bulletins site; you'll have to transition to the Update Guide.
The good news is that the new portal does give you far more flexibility. You can filter by release date, KB number, CVE identifier, or product. This is great for those who don't want to waste time scrolling through information about software and services that they don't have deployed or don't use.
This month's updates include six that are rated critical and eight classified as important. There are updates for both Microsoft web browsers, Adobe Flash, and various components of Windows, as well as one for SQL Server and one for Microsoft Office.
Let's take a look at each of these updates in a little more detail.
Critical
MS16-129 (KB 3199057) This is the usual cumulative update for the Edge browser and applies to Edge on all iterations of Windows 10. It is rated critical for all.
The update addresses seventeen vulnerabilities, including multiple memory corruption issues, information disclosure, and a spoofing vulnerability. Twelve of these could be exploited to accomplish remote code execution.
The update fixes the problems by changing how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory, and correcting how the Microsoft Edge parses HTTP responses.
MS16-130 (KB 3199172) This is an update for all currently supported versions of the Windows client and server operating systems, including the server core installation. It is rated critical for all.
This update addresses three vulnerabilities: two elevation of privilege issues and one remote code execution vulnerability. The update fixes the problems by correcting how the Windows Input Method Editor (IME) loads DLLs and requiring hardened UNC paths be used in scheduled tasks.
MS16-131 (KB 3199151) This is an update for the Microsoft Video Control component in Windows Vista, 7, 8.1, RT 8.1 and 10. It is rated critical for all. It also affects Windows Server 2016 Preview 5.
The update addresses a single vulnerability based on the way the Video Control component handles objects in memory, which can be exploited to accomplish remote code execution. The update fixes the problems by correcting how Microsoft Video Control handles objects in memory.
MS16-132 (KB 3199120) This is an update for the Graphic component in all currently supported versions of Windows client and server operating systems, including the server core installation. It is rated critical for all.
The update addresses four vulnerabilities: an open type font information disclosure issue (for which a workaround is provided in the security bulletin), two memory corruption vulnerabilities – one in Windows Animation Manager and one in Media Foundation – and an open type font remote code execution vulnerability, which also has a workaround. You can find instructions for the workarounds at https://technet.microsoft.com/en-us/library/security/ms16-132.aspx
The update fixes the problems by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.
MS16-141 (KB3202790) This is an update for Adobe Flash Player running on Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. It does not include the server core installation, which doesn't have a web browser installed by default. It is rated critical for all affected systems.
The update addresses nine vulnerabilities in the Flash Player software, which include type confusion vulnerabilities and use-after-free vulnerabilities, both of which can be exploited to accomplish code execution. The update fixes the problems by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
MS16-142 (KB3198467) This is the usual cumulative update for the Internet Explorer web browser. It is rated Critical for IE 9 and IE 11 on affected Windows clients, and rated Moderate for IE 9, IE 10 and IE 11 on affected Windows server operating systems.
The update addresses seven vulnerabilities, which include four memory corruption issues and three information disclosure vulnerabilities. The most severe of these could be exploited to accomplish remote code execution. The update fixes the problems by correcting how Internet Explorer modifies objects in memory and the way it uses the XSS filter to handle RegEx.
Important
MS16-133 (KB 3199168) This is an update for Microsoft Office that applies to Office 2007, 2010, 2013, 2013 RT, and 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack, and the Excel and PowerPoint Viewers. Also affected are Excel Services and Word Automation Services on SharePoint 2010, Word Automation Services on SharePoint 2013, and Office Web Apps 2010 and 2013. It is rated important for all.
The update addresses twelve vulnerabilities, ten of which are memory corruption issues. The other two are information disclosure and denial of service vulnerabilities. The update fixes the problems by correcting how Microsoft Office initializes variables and how affected versions of Office and Office components handle objects in memory.
MS16-134 (KB3193706) This is an update for the Common Log File System Driver in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.
This update addresses ten vulnerabilities, all of which are elevation of privilege issues. The update fixes the problem by correcting how CLFS handles objects in memory.
MS16-135 (KB3199135) This is an update for the Windows Kernel-mode Drivers in all currently supported releases of Windows client and server operating system, including the Server Core installation. It is rated important for all.
This update addresses five vulnerabilities, which includes two information disclosure issues and three elevation of privilege vulnerabilities. The update fixes the problem by correcting how the Windows kernel-mode driver handles objects in memory.
MS16-136 (KB3199641) This is an update for all currently supported editions of Microsoft SQL Server 2012, 2014 and 2016. It is rated important for all.
The update addresses six vulnerabilities, which includes three SQL RDBMS Engine Elevation of Privilege vulnerabilities, one MDS API XSS vulnerability, and one SQL Analysis Services information disclosure vulnerability, along with one SQL Server agent elevation of privilege vulnerability. The most severe of these vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The update fixes these most severe vulnerabilities by correcting how SQL Server handles pointer casting.
MS16-137 (KB3199173) This is an update for Windows Authentication Methods in all currently supported releases of Windows client and server operating system, including the server core installation. It is rated important for all.
The update addresses three vulnerabilities, which include a Virtual Secure Mode Information Disclosure vulnerability, a Local Security Authority Subsystem Service Denial of Service vulnerability and a Windows NTLM Elevation of Privilege vulnerability.
The update fixes the problems by updating Windows NTLM to harden the password change cache, changing the way that LSASS handles specially crafted requests and correcting how Windows Virtual Secure Mode handles objects in memory.
MS16-138 (KB3199647) This is an update for the Microsoft Virtual Hard Disk Driver in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.
The update addresses four vulnerabilities, all of which are elevation of privilege issues that an attacker could exploit to manipulate files in locations not intended to be available to the user. The update fixes the problem by correcting how the kernel API restricts access to these files.
MS16-139 (KB3199720) This is an update for the Windows kernel in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, including the server core installation. It is rated important for all.
The update addresses a single vulnerability in the way the kernel API enforces permissions, which an attacker could exploit to gain access to information that is not intended for the user, but the attacker would have to be able to locally authenticate. The update fixes the problem by helping to ensure the kernel API correctly enforces access controls.
MS16-140 (KB3193479) This is an update for the Boot Manager in Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016, including the server core installation. It is rated important for all.
The update addresses a single vulnerability when Windows Secure Boot improperly loads a boot policy that is affected by the vulnerability. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device. The update fixes the problem by revoking affected boot policies in the firmware.
You can find the full summary of all these updates, with links to each security bulletin, at https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
