Dec. 2016 Patch Tuesday: Microsoft releases 12 security bulletins, 6 rated critical

Congrats for making it through another year of patching Windows! There are 12 this month, 6 rated critical and some which had been publicly disclosed.

For the last Patch Tuesday of 2016, Microsoft issued 12 security bulletins, half of which are rated critical due to remote code execution vulnerabilities. Get ready for restarts. Please do not delay deploying patches since three do address vulnerabilities which had been publicly disclosed.

Rated critical

MS16-144 pertains to patching a plethora of bugs in Internet Explorer: two scripting engine memory corruption vulnerabilities, two memory corruption vulnerabilities, a security feature bypass bug, and two information disclosure flaws and one Windows hyperlink object library information disclosure vulnerability.

Three of the flaws have been publicly disclosed: CVE-2016-7282 – a Microsoft browser information disclosure vulnerability, CVE-2016-7281 – the Microsoft browser security feature bypass bug – and CVE-2016-7202 – a scripting engine memory corruption vulnerability, have been publicly disclosed. Microsoft said they are not being exploited.

MS16-145 is the cumulative fix for the Edge browser; it resolves five scripting engine memory corruption bugs, two memory corruption flaws, three information disclosure vulnerabilities and a security feature bypass. Like the IE patch, three of the Edge vulnerabilities have been publicly disclosed but Microsoft said they are not being exploited.

MS16-146 is the monthly security patch for Microsoft graphics components, specifically aimed at addressing two RCE holes in Windows graphics components as well as a Windows GDI information disclosure flaw.

MS16-147 is something we don’t typically see every month; it is a fix for a remote code execution flaw in Microsoft Uniscribe since it mishandles objects in memory.

MS16-148 is the monthly patch for a boatload of flaws in Microsoft Office, some of which could result in RCE. Those 16 vulnerabilities include four memory corruption vulnerabilities, an Office OLE DLL side-loading flaw, three security feature bypass bugs, one GDI information disclosure issue, six Microsoft Office information disclosure holes, and an elevation of privilege vulnerability in Microsoft AutoUpdate (MAU). None of which had been publicly disclosed.

MS16-154 is for Adobe Flash. That breakdown includes seven use-after-free flaws that could lead to RCE, four buffer overflow bugs, five memory corruption vulnerabilities that could result in RCE and one security bypass flaw.

Rated important

MS16-149 resolves two holes in Windows, specifically a Windows crypto information disclosure flaw and a Windows installer elevation of privilege vulnerability.

MS16-150 addresses an elevation of privilege bug in Windows secure kernel mode due to mishandling objects in memory.

MS16-151 is to fix for two elevation of privilege vulnerabilities in Windows kernel mode drivers. One of the Win32k EoP flaws is due to Windows kernel mode driver failing to properly handle objects in memory; the other is due to Windows graphics component mangling objects in memory.

MS16-152 is a security update for Windows kernel as it improperly handles page fault system calls and could lead to information disclosure.

MS16-153 resolves an information disclosure bug in Windows by updating the common log file system driver.

MS16-155 is the fix for .NET framework; Microsoft noted that the information disclosure vulnerability has been publicly disclosed but is not being exploited.

MS16-143 was missing in action, considering the patches for November ended with MS16-142 and December began with MS16-144

Congratulations! You made it through another year of faithfully applying security updates to Windows. For the last time in 2016, I wish you happy patching!

Copyright © 2016 IDG Communications, Inc.

What is security's role in digital transformation?