Authored by Debra Littlejohn Shinder
Don't let the holiday season fool you – patching is a never-ending story, and Microsoft prepared 12 patches for us this Tuesday.
It's a time of year when many office workers slack off a bit at their jobs, while other, seasonal occupations ramp on. In the IT world, it's pretty much business as usual. Neither the hackers and attackers nor the security researchers and software vendors take the holidays off, so it's important to stay vigilant and keep our systems updated, even if we'd prefer to be out singing carols or fighting the crowds who annually play the shopping madness game.
As usual, Microsoft has an early gift for us. Whether deliberately or coincidentally, we can sing it to the tune of The Twelve Days of Patches (that is, if we want to install just one per day). This dozen of updates includes the usual suspects: cumulative updates for the IE and Edge web browsers and the obligatory Adobe Flash update, along with an update for Office, with the rest applicable to various versions of the Windows operating system. Six of them are rated critical and the rest important.
Let's take a look at each of these updates in a little more detail, and you can find the full summary with links to each individual security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-dec
Critical
MS16-144 (KB 3204059) This is the usual cumulative update for the Internet Explorer web browser. It applies to IE 9, IE 10 and IE 11 on supported Windows clients and server operating systems. It is rated critical on Windows clients and moderate for Windows servers.
The update addresses eight vulnerabilities that include multiple memory corruption issues in the browser and in the scripting engine, a security feature bypass, and multiple information disclosure vulnerabilities. The most severe of these can be exploited to accomplish remote code execution. There are no identified workarounds or mitigations.
The update fixes the problems by correcting the way IE and the scripting engines handle objects in memory, as well as correcting the way the browser checks the same origin policy for scripts running inside Web Workers.
MS16-145 (KB 3204062) This is the usual cumulative update for the Edge browser and applies to Edge on all iterations of Windows 10, and it is rated critical for all.
The update addresses eleven vulnerabilities, including multiple memory corruption issues in the browser and in the scripting engines, information disclosure, and a security bypass vulnerability. The most severe of these can be exploited to accomplish remote code execution. There are no identified workarounds or mitigations.
The update fixes the problems by changing how the Microsoft browser and scripting engines handle objects in memory, as well as correcting the way the browser checks the same origin policy for scripts running inside Web Workers.
MS16-146 (KB 3204066) This is an update for the Microsoft Graphics component in Windows. It affects Windows Vista, 7, 8.1, 8.1 RT, and 10 as well as Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016, including the server core installations. It is rated critical for all.
The update addresses three vulnerabilities. One is a Windows GDI information disclosure issue and two are remote code execution (RCE) vulnerabilities that are due to memory handling issues. There are no identified workarounds or mitigations. The updates fix the problems by changing the way the Windows GDI component handles objects in memory.
MS16-147 (KB 3204063) This is an update for Microsoft Uniscribe, which is a component in Windows that is a set of APIs used for rendering Unicode encoded text with a high degree of typographical control. It applies to Windows Vista, 7, 8.1, 8.1 RT, and 10 as well as Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016, including the server core installations. It is rated critical for all.
The update addresses a single vulnerability that exists due to memory handling issues. It could be exploited to accomplish remote code execution, either via a web-based attack or a file-sharing scenario. There are no identified workarounds or mitigations. The update fixes the problem by changing the way Windows Uniscribe handles objects in memory.
MS16-148 (KB 3204068) This is an update for Microsoft Office. It affects Office 2007, 2010, 2013, 2013 RT, 2016, the Office Compatibility Pack SP 3 and the Word and Excel Viewers. It also affects Office for Mac 2011 and 2016 and the Auto Updater for Mac. SharePoint 2007 and 2010 are also impacted, along with Office Web Apps 2010. The update is rated critical for some versions/software and important or moderate for others.
The update addresses sixteen separate vulnerabilities, which include multiple memory corruption issues, an OLE side loading vulnerability, security bypasses, multiple information disclosure issues, and a Microsoft AutoUpdate (MAU) elevation of privilege vulnerability. There are no identified workarounds or mitigations.
The update fixes the problems by changing how Microsoft Office initializes variables, how Microsoft Office validates input, how Microsoft Office rechecks registry values, the way Microsoft Office parses file formats, the means by which affected versions of Office and Office components handle objects in memory, and the way Microsoft Office for Mac Autoupdate Validates Packages.
MS16-152 (KB 3209498) This is an update for Adobe Flash Player on Windows 8.1, RT 8.1, Windows 10, Server 2012, 2012 R2 and 2016. It is rated critical for all. It does not apply to server core installations, which do not run a web browser.
The update addresses seventeen vulnerabilities in the Flash Player application. These include use-after-free, buffer overflow, security bypass and memory corruption vulnerabilities. More information is available on Adobe's web site at https://helpx.adobe.com/security/products/flash-player/apsb16-39.html . There are identified workarounds for some of these vulnerabilities, the instructions for which you can find in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-154.aspx . The update addresses the problems by updating the Flash libraries in IE 10, IE 11 and Edge.
Important
MS16-149 (KB 3205655) This is an update for Windows that affects Vista, Windows 7, 8.1, and 10 as well as Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016, including the server core installations. It does not affect Windows RT, but is rated important for all listed above.
The update addresses a pair of vulnerabilities. One is an information disclosure issue related to improper handling of objects in memory by the Crypto Driver running in kernel mode. The other is an elevation of privilege issue caused by Windows Installer's failure to properly sanitize input. There are no identified workarounds or mitigations.
The update fixes the problems by correcting how a Windows crypto driver handle objects in memory, and also correcting the input sanitization error to preclude unintended elevation.
MS16-150 (KB 3205642) This is an update for the Secure Kernel Mode in Windows that affects only Windows 10 and Server 2016, including the server core installation. It is rated important for both.
The update addresses a single vulnerability that occurs when the Secure Kernel Mode fails to properly handle objects in memory. Exploitation could result in violation of virtual trust levels. There are no identified workarounds or mitigations. The update fixes the problem by correcting how Windows Secure Kernel Mode handles objects in memory to properly enforce VLTs.
MS16-151 (KB 3205651) This is an update for the Windows kernel-mode drivers in Windows Vista, 7, 8.1, 8.1 RT, and 10 as well as Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016, including the server core installation. It is rated important for all.
The update addresses two Win32k elevation of privilege vulnerabilities, one in the Windows Graphics component and both related to improper handling of objects in memory. There are no identified workarounds or mitigations. The update fixes the problem by correcting how the Windows kernel-mode driver handles objects in memory.
MS16-152 (KB 3199709) This is an update for the Windows kernel that affects only Windows 10 and Server 2016, including the server core installation. It is rated important for both.
The update addresses a single information disclosure vulnerability related to the Windows kernel's failure to properly handle certain page fault system calls. An attacker would have to log on locally or persuade a locally authenticated user to execute an application in order to exploit this vulnerability. There are no identified workarounds or mitigations. The update fixes the problem by correcting how the Windows kernel handles objects in memory.
MS16-153 (KB 3207328) This is an update for the Common Log File System Driver in Windows. It affects Windows Vista, 7, 8.1, 8.1 RT, and 10 as well as Windows Server 2008, 2008 R2, 2012, 2012 R2 and 2016, including the server core installation. It is rated important for all.
The update addresses a single information disclosure vulnerability in the CLFS driver that is related to improper handling of objects in memory. An attacker could exploit the vulnerability to bypass security. There are no identified workarounds or mitigations. The update fixes the problem by correcting the way the Windows CLFS driver handles objects in memory.
MS16-155 (KB 3205640) This is an update for the Microsoft .NET Framework. It applies to version 4.6.2 running on Windows 7, 8.1, 8.1 RT and 10, along with Server 2008 R2, 2012, and 2012 R2, including server core installations. It is rated important for all.
The update addresses a single vulnerability in the .NET Framework's Data Provider for SQL Server, which could be exploited to give an attacker access to information that's supposed to be protected by the Always Encrypted feature. There is a workaround, the instructions for which can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms16-006.aspx . The update fixes the problem by correcting how Microsoft Silverlight validates decoder results.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
