Hello everyone,

 

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for December 2015.

 

Welcome to the December Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, four (8) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other eight (4) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

 

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

       This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-124

3116180

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-182  MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-125

3116184

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-126

3116178

Cumulative Security Update for JScript and VBScript

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr (Nov 10)
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-127

3100465

Security Update for Microsoft Windows DNS

Critical

Remote Code Execution

MTIS15-183

Covered Products:
  • Vulnerability Mgr
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-128

3104503

Security Update for Microsoft Graphics Component

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • NSP
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-129

3106614

Security Update for Silverlight

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS15-130

3108670

Security Update for Microsoft Uniscribe

Critical

Remote Code Execution

MTIS15-184

Covered Products:
  • Vulnerability Mgr
  • NSP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-131

3116111

Security Update for Microsoft Office

Critical

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • NSP
  • BOP
  • Host IPS
  • Application Control

Under Analysis:

  • Firewall Enterprise
  • Web Gateway
  • DAT

MS15-132

3116162

Security Update for Microsoft Windows

Important

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-133

3116130

Security Update for Windows PGM

Important

Elevation of Privileges

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS15-134

3108669

Security Update for Windows Media Center

Important

Remote Code Execution

MTIS15-184

Covered Products:

  • Vulnerability Mgr

Under Analysis:

  • Firewall Enterprise

MS15-135

3119075

Security Update for Windows Kernel-Mode Drivers

Important

Elevation of Privileges

MTIS15-184

Covered Products:

  • Vulnerability Mgr
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS15-124 (CVE-2015-6083, 6134 to 6159, and 6161 to 6164,) 

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section. 

 

    • Twenty-three (23) of these vulnerabilities are Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
    • Three (3) of these vulnerabilities is an XSS Security Bypass. This may allow the attacker to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks.
    • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the Microsoft Browser.
    • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

 

MS15-125 (CVE-2015-6139, 6140, 6142,6148, 6151,6153-6155,6158 6159, 6161,6168, 6169, 6170, 6176) 

This cumulative security update affects only the Microsoft Edge browser on Windows 10. Ten (10) of these vulnerabilities are Remote Code Execution vulnerabilities and the others are a Security Feature Bypass Vulnerability, Content information Disclosure, and Privilege Escalation.

 

MS15-126 (CVE-2015-6135-6137)
This security updates resolves Two (2) Remote Code Execution vulnerability in Jscript and VBScript Engine and One (1) Information disclosure. This bulletin represents a memory usage fix for vbscript.dll.

 

MS15-127 (CVE-2015-6125) 

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.
The security update addresses the vulnerability by modifying how DNS servers parse requests.
 

 

MS15-128(CVE-2015-6106, 6107, 6108) 

This security update resolves vulnerabilities in Microsoft Windows, the .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. These vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

 

MS15-129 (CVE-2015-6114,6165,6166)

These Three (3) updates resolves vulnerabilities in MS Silverlight. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit a compromised website. The attacker could also take advantage of websites that contain specially crafted content that accept or host user-provided content or advertisements.

 

MS15-130 (CVE-2015-6130)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts.

 

MS15-131 (CVE-2015-6040, 6118, 6122, 6124(Exploited), 6172, 6177) 

Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. Exploitation could occur via an email attachment or malicious URL link and convincing the user to either open the attachment or clicking the link. 

 

MS15-132 (CVE-2015-6128, 6129, 6132, 6133) 

Multiple remote code execution vulnerabilities exist when Windows improperly validates input before loading libraries. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. To exploit the vulnerabilities, an attacker would need access to the local system and the ability to execute a specially crafted application on the system. The security update addresses the vulnerabilities by correcting how Windows validates input before loading libraries.

 

MS15-133 (CVE-2015-6126) 

An elevation of privilege vulnerability exists in the Windows Pragmatic General Multicast (PGM) protocol that is caused when an attacker-induced race condition results in references to memory contents that have already been freed. Microsoft Message Queuing (MSMQ) must be installed and PGM specifically enabled for a system to be vulnerable. MSMQ is not present in default configurations and if it is installed the PGM protocol is available but disabled by default. 

 

MS15-134 (CVE-2015-6127, 6131) 

A vulnerability exists in Windows Media Center that could allow information disclosure if Windows Media Center improperly handles a specially crafted Media Center link (.mcl) file that references malicious code.  

-An attack through Internet Explorer or Microsoft Edge requires the user to accept a security warning. 

If the attacker's executable file is on the localhost or in the same LAN, it will open without a warning.  

However, if the share is outside of the local network, a security warning dialog box will appear. 

-For an attack to succeed, the user must first open Media Center and set it up.

 

MS15-135 (CVE-2015-6171, 6173, 6174, 6175(Exploited)) 

Finally, Multiple elevation of privilege vulnerabilities exist due to the way the Windows kernel handles objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. 

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities: 

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site. 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for December 2015 at the Microsoft site.

 

 

Safe Computing!

Thank you, 

Kelly Housman