Hello everyone,

 

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for November 2015.

 

Welcome to the November Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (8) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-112

3104517

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-173

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-113

3104519

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-114

3100213

Security Update for Windows Journal to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-115

3105864

Security Update for Microsoft Windows to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • Host IPS
  • NSP

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-116

3104540

Security Update for Microsoft Office to Address Remote Code Execution

Important

Remote Code Execution

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-117

3101722

Security Update for NDIS to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • Host IPS
  • NSP

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-118

3104507

Security Update for .NET Framework to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • NSP

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-119

3104521

Security Update for Winsock to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)
  • NSP

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-120

3102939

Security Update for IPSec to Address Denial of Service

Important

Denial of Service

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-121

3081320

Security Update for Schannel to Address Spoofing

Important

Spoofing

MTIS15-174

Covered Products:

  • Vulnerability Mgr (Nov 10)

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-122

3105256

Security Update for Kerberos to Address Security Feature Bypass

Important

Security Feature Bypass

MTIS15-175

Covered Products:

  • Vulnerability Mgr (Nov 10)

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-123

3105872

Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure

Important

Information Disclosure

MTIS15-175

Covered Products:

  • Vulnerability Mgr (Nov 10)

 

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS15-112 (CVE-2015-2427, 6064, 6065, 6066, 6068 to 6082, and 6084 to 6089)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 25 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

 

  • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

   

MS15-113 (CVE-2015-6064, 6073, 6078, & 6088)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. Three (3) of these vulnerabilities are Remote Code Execution vulnerabilities and the other one (1) is a Security Feature Bypass Vulnerability.

 

MS15-114 (CVE-2015-6097)

This security updates resolves a single Remote Code Execution vulnerability in the Windows Journal. It only occurs if a user is convinced to open a specially crafted Journal file. This vulnerability came through coordinated vulnerability disclosure.

 

MS15-115 (CVE-2015-6100 to 6104, 6109, & 6113)

This bulletin addresses a potpourri of different vulnerabilities in the Windows Kernel. Here we see Memory Elevation of Privilege vulnerabilities, Information Disclosure vulnerabilities, Remote Code Execution vulnerabilities, and a Security Feature Bypass vulnerability. It is for all currently supported versions of the desktop and server flavors of Windows.

 

MS15-116 (CVE-2015-2503, 6038, 6091 to 6094, 6123, 6038, 6093, & 6094)

Here we have multiple vulnerabilities in Microsoft Office, including five (5) Memory Corruption vulnerabilities, an Elevation of Privilege vulnerability, and a Spoofing vulnerability on the Mac version. Versions covered include: 2007, 2010, 2013, 2016, 2013 RT, Mac 2011, Mac 2016, Excel & Word viewers, Office Web Apps 2010 and 2013, Lync 2013, Skype for Business 2016, as well as SharePoint Server 2007, 2010, and 2013.

 

MS15-117 (CVE-2015-6098)

This bulletin addresses a single Elevation of Privilege vulnerability in Microsoft Windows NDIS. It could allow elevation of privilege if an attacker is able to log on to the system and run a specially crafted application. This update resolves the issue by addressing how NDIS validates buffer length.

 

MS15-118 (CVE-2015-6096, 6099, & 6115)

This security update addresses an Information Disclosure vulnerability, an Elevation of Privilege vulnerability, and a Security Feature Bypass vulnerability in multiple versions of the .NET Framework. Since it is possible to have multiple versions of the .NET Framework installed on any given system, users may be required to install multiple software update packages, but they all address the three (3) vulnerabilities in this bulletin.

 

MS15-119 (CVE-2015-2478)

Similarly to MS15-117, this addresses an Elevation of Privilege vulnerability in Winsock. Like that vulnerability, it could allow elevation of privilege is an attacker is able to log on to the system and run a specially crafted application. This one is addresses by preventing Winsock from accessing invalid memory addresses.

 

MS15-120 (CVE-2015-6111)

It seems like this is the month for vulnerabilities in the networking components, because here’s one in IPSec that resolves a Denial of Service vulnerability. Each one of these network component updates address a single vulnerability.

 

MS15-121 (CVE-2015-6112)

This bulletin addresses a Spoofing vulnerability in the Schannel component. In order to be exploited, an attacker needs to perform a man-in-the-middle (MiTM) attack between a client and a legitimate server. It is present in all supported releases of Windows, with the exception of Windows 10. So that’s good news for adopters of Windows 10.

 

MS15-122 (CVE-2015-6095)

Here we have a Security Feature Bypass vulnerability in Kerberos. While this one is only marked as Important, I’d advise patching it quickly because an attacker could bypass Kerberos and decrypt drives that are protected by BitLocker. However, this can only be accomplished if the affected system has BitLocker enabled without a PIN or USB key, it is domain-joined, or if the attacker has full physical access to the target computer.

 

MS15-123 (CVE-2015-6061)

Finally, this bulletin covers an Information Disclosure vulnerability in Skype for Business 2016, Lync 2013, Lync 2010, and the Lync Room system. It overlaps somewhat with MS15-116 because of shared components in the affected software.

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for November 2015 at the Microsoft site.

 

This month will be my last Patch Tuesday newsletter. I’m handing this over to another engineer that will be taking it over starting in December. I’d like to thank everyone for reading the Patch Tuesday newsletter, and for all the great suggestions!

 

Stay safe!

-Greg