Security Free Reuse

Microsoft has rolled out its last Patch Tuesday of 2016. As usual, the special day brought with it updates for numerous Microsoft services. However, while Patch Tuesday introduces bug fixes and general changes, there are other reasons for the day. Namely, Microsoft uses the event to issue security fixes.

This month the company has detailed the specific fixes it has brought to its services. Out of the 11 security bulletins, six of them were critical issues, Microsoft says.

Microsoft services affected by these flaws includes Windows, Internet Explorer, Edge, Office, and .NET framework.

Below is a list of the fixed issues:

  • MS16-144 addresses a series of vulnerabilities deemed to be Critical by the company’s severity rating system, that could compromise Internet Explorer and the system it’s installed on. By exploiting the security flaws available previous to this patch, an attacker could get full control over an affected system. The attacker would need to chain exploits together by tricking a user into viewing a malicious website, elevating his privileges on the target machine and then taking full control.
  • MS16-145 relates to an issue in Microsoft Edge, also deemed to be Critical. By viewing a malicious website, a user’s machine could be hacked and the attacker might gain the same user rights as the victim. Users operating with fewer rights would be less impacted than those operating as administrators.
  • MS16-146 is the third bulletin for this month dealing with a Critical issue, that could allow for remote code execution. This related to the Microsoft Graphics Component, which has received numerous security patches over the past few months. If an attacker tricks the user into opening a malicious website or document, he could get the same level of control over the machine as the user.
  • MS16-147 has to do with Microsoft Uniscribe, a set of APIs that allow for control for fine typography and for processing complex scripts. This issue is also deemed to be Critical, as an attacker could gain the same privileges as the current user, if the victim opens a malicious website or document.
  • MS16-148 is the final Critical patch to come out of Microsoft for this season. It has to do with Microsoft Office, Office Services and Office Web Apps. An attacker could end up running code remotely, with the same degree of freedom as the current user if the victim opens a malicious Microsoft Office file.
  • MS16-149 deals with an escalation of privileges issue in Microsoft Windows, and is deemed to be an important patch. An attacker could gain administrative privileges over a system, if he ran a specially created application. However, the attacker would need to be local and already be authenticated on the system.
  • MS16-150 and MS16-151 have to do with Windows Kernel Mode and Kernel-Mode Drivers. An attacker could gain administrative privileges over a system if he’s able to locally run a specially crafted script.
  • MS16-152 and MS16-153 fix issues where Windows could end up leaking information in some scenarios. The first bulletin addresses a flaw with the way the Windows Kernel handles objects in memory, while the second one has to do with the Common Log File System Driver (CLFS). In this latter scenario an attacker could trick Windows into disclosing information by running a specially crafted application locally.
  • MS16-155 may be the last security update to come out of Redmond for 2016 and it addresses security flaws in the .NET Framework. Deemed to be an Important issue, this flaw allowed an attacked to access information defended by the “Always Encrypted” features in some versions of .NET 4.6.2.
  • Finally, MS16-154 is the last security update on our list and it’s deemed to be a Critical one as some of these flaws are already being exploited in the wild. However, this patch isn’t from Microsoft, but rather from Adobe, and it fixes a number of issues found in Flash Player.

Patch Tuesday

December’s Patch Tuesday rolled out yesterday with firmware updates for most versions of Windows 10. The update for Windows 10 Mobile and PC running the Anniversary Update is build 14393.576. However, the patch focused on Windows 10 PC builds and was dedicated to fixing the following issues:

  • Improved reliability of Security Support Provider Interface.
  • Addressed a service crash in CDPSVC that in some situations could lead to the machine not being able to acquire an IP address.
  • Fixed issue where a Catalog-signed module installation does not work on Nano Server.
  • Addressed issue with Devices left with Hello on for an excessive amount of time will not go into power savings mode.
  • Addressed issue with gl_pointSize to not work properly when used with drawElements method in Internet Explorer 11.
  • Fixed issue where Azure Active Directory-joined machines after upgrading to Windows 10 Version 1607 cannot sync with Exchange.
  • Addressed additional issues with app compatibility, updated time zone information, Internet Explorer.
  • Security updates to Microsoft Edge, Internet Explorer, Microsoft Uniscribe, Common Log File System Driver.