Nov 2016 Patch Tuesday: Microsoft released 14 security updates, 6 rated critical

In addition to releasing 14 security updates on Election Day Patch Tuesday, six of which are rated critical, the Microsoft Security Response Center responded to requests for better access to security update information; Microsoft’s solution was to release a preview of its new Security Update Guide, “a single destination for security vulnerability information.”

MSRC added, “Instead of publishing bulletins to describe related vulnerabilities, the new portal lets our customers view and search security vulnerability information in a single online database.”

After accepting the terms of service, you can sort, filter out products and “drill down” into “more detailed security update information.”

Without further ado, let’s jump into the nitty-gritty.

Rated critical

MS16-129 is the cumulative patch for Microsoft’s Edge browser. It closes 17 holes, including remote code execution flaws via four browser memory corruption vulnerabilities and eight scripting engine memory corruption bugs. The patch also fixes four information disclosure flaws and one spoofing vulnerability.

Both the Microsoft browser information disclosure bug and the Microsoft Edge spoofing bug have been publicly disclosed, although Microsoft said the flaws have not been exploited.

MS16-130 is the fix for a remote code execution vulnerability in Windows, as well as two elevation of privilege flaws—one in Task Scheduler and the other in Windows Input Method Editor (IME).

MS16-131 patches an RCE vulnerability in Microsoft Video Control, as it fails to properly handle objects in memory.

MS16-132 closes holes in Microsoft Graphics Component that could lead to RCE. Microsoft noted that the vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. There are memory corruption flaws that could lead to RCE in Windows Animation Manager and Windows Media Foundation. Another RCE vulnerability is in Open Type Font, but this is being exploited even though Microsoft said it wasn’t publicly disclosed.

Additionally, Microsoft said an information disclosure flaw exists when the Adobe Type Manager Font Driver (ATMFD) “improperly discloses the contents of its memory.”

MS16-133 is to patch numerous holes in Office, including 10 memory corruption bugs that could lead to RCE, a denial-of-service flaw and an information disclosure vulnerability.

MS16-142 is the cumulative update for IE. It resolves four browser memory corruption flaws that could allow RCE and three information disclosure bugs—one of which was publicly disclosed but marked as not being exploited.

MS16-141 fixes a plethora of RCE holes in Adobe Flash.

Rated important

Although only rated important by Microsoft, MS16-135 patches the zero-day that Google disclosed on Oct. 31; it is being actively exploited and should be a top priority.

Regarding the Win32k EoP vulnerability CVE-2016-7255, Microsoft said it “implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.”

MS16-135 also addresses other issues in Windows kernel-mode drivers. In total, there are three Win32k flaws that could allow elevation of privilege and two information disclosure flaws—one in Win32k and another in Microsoft browser.

MS16-134 fixes 10 Windows Common Log File System flaws that could allow elevation of privilege. Microsoft noted the CLFS driver improperly handles objects in memory; a local attack scenario included an attacker exploiting the vulnerabilities “to take complete control over the affected system.”

MS16-136 addresses 10 holes in Microsoft SQL Server. When listing out specifics, Microsoft mentioned three SQL RDBMS Engine EoP holes. The fix corrects how SQL Server handles pointer casting. There is an XSS EoP vulnerability in SQL Server MDS, one SQL Server Agent EoP bug and an information disclosure vulnerability in Microsoft SQL Analysis Services.

MS16-137 is a security update for Windows Authentication Methods, specifically to fix a Windows NTLM EoP Vulnerability, a Virtual Secure Mode information disclosure flaw and a Local Security Authority Subsystem Service denial-of-service hole.

MS16-138 resolves vulnerabilities in Microsoft Virtual Hard Drive by correcting four VHD Driver EoP flaws that could allow an attacker to access and manipulate files.

MS16-139 fixes a Windows kernel EoP vulnerability. “The security update addresses the vulnerability by helping to ensure that the Windows Kernel API properly enforces permissions.”

MS16-140 fixes a security feature bypass flaw that could be exploited “if a physically-present attacker installs an affected boot policy.”

Happy patching!