Hello Everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for November 8, 2016.


Do you still have legacy unsupported systems in your environment? Click here to learn how to leverage McAfee solutions to help secure those systems.

 

Welcome to the November Patch Tuesday update. This month was busier month where Microsoft released a total of fourteen (14) new security bulletins, including one for Adobe Flash . For this month, Six (6) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Eight (8) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

  This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-142

3198467

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Information Disclosure

-Remote Code Execution

MTIS16-062

Covered Products:

  • BOP
  • HIPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

MS16-129

3199057

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information disclosure

-Spoofing Vulnerability

-Elevation of Privilege

-Remote code execution

MTIS16-059

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-130

3199172

Security Update for Microsoft Windows

Critical

-Remote Code Execution

-Elevation of Privileges

MTIS16-059

Covered Products:

  • NSP
  • BOP
  • HIPS
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-131

31929151

Security Update for Microsoft Video Control

Critical

-Remote Code Execution

MTIS16-059

Covered Products:

  • Host IPS
  • Application Control
  • BOP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-132

3199120

Security Update for Microsoft Graphics Component

Critical

-Memory Corruption

-Information Disclosure

MTIS16-059

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager
  • Under Analysis:
  • Firewall Enterprise

MS16-133

31959168

Security Update for Microsoft Office

Important

-Memory Corruption

-Information Disclosure

-Denial of Service

 

MTIS16-060

Covered Products:

  • Host IPS
  • Application Control
  • BOP
  • NSP
  • Vulnerability Manager
  • Application Control

Under Analysis:

  • Firewall Enterprise

MS16-134

3193706

Security Update for Common Log File System Driver

Important

-Elevation of Privileges

MTIS16-060

Covered Products:

  • Vulnerability Manager
  • Host IPS
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-135

3199135

Security Update for Kernel-Mode Drivers

Important

-Elevation  of Privilege

-Information Disclosure

MTIS16-061

Covered Products:

  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-136

3199641

Security Update for SQL Server

Important

-Elevation  of Privilege

-MDS API XSS

-Information Disclosure

-RDBMS Engine EoP

MTIS16-061

Covered Products:

  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-137

3199173

Security Update for Windows Authentication Methods

Important

-Elevation  of Privilege

-Information Disclosure

-Denial of Service

MTIS16-061

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • Database Activity Mon.
  • Vulnerability mgr for DB

MS16-138

3199647

Security Update to Microsoft Virtual Hard Drive

Important

-Elevation of Privilege

MTIS16-061

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-139

3199720

Security Update for Windows Kernel

Important

-Elevation of Privilege

MTIS16-061

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-140

3193479

Security Update For Boot Manager

Important

- Security Feature Bypass

MTIS16-061

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-141

3202790

Security Update for Adobe Flash Player

Critical

N/A

N/A

Covered Products:

  • Not Tested

Under Analysis:

  • Not Tested

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-142 (CVE-2016-7196, 7198, 7195, 7199, 7227, 7239, and 7241)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The update addresses the vulnerabilities by correcting how Internet Explorer:

  • modifies objects in memory
  • uses the XSS filter to handle RegEx

MS16-129 (CVE-2016-7196, 7198, 7200, 7201, 7203, 7242, 7195, 7199, 7202, 7204, 7208, 7209, 7227, 7227, 7239, 7240, 7241, and 7243)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10 and Windows Server 2016. For more information, see the Affected Software section.

The update addresses the vulnerabilities by:

  • modifying how Microsoft browsers handles objects in memory
  • changing how the XSS filter in Microsoft browsers handle RegEx
  • modifying how the Chakra JavaScript scripting engine handles objects in memory
  • correcting how the Microsoft Edge parses HTTP responses
     

MS16-130 (CVE-2016-7212, 7221, and 7222)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a locally authenticated attacker runs a specially crafted application.

This security update is rated Critical for all supported releases of Microsoft Windows.

The security update addresses the vulnerabilities by:

  • Correcting how the Windows Input Method Editor (IME) loads DLLs.
  • Requiring hardened UNC paths be used in scheduled tasks.

MS16-131 (CVE-2016-7248 )

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

The update addresses the vulnerability by correcting how Microsoft Video Control handles objects in memory.

 

MS16-132 (CVE-2016-7205, 7210, 7217, and 7256)

This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. This security update is rated Critical for all supported releases of Microsoft Windows.

 

The security update addresses the vulnerabilities by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

 

MS16-133 (CVE-2016-7213, 7228, thru 7236, 7244, and 7245)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how:

  • Microsoft Office initializes variables.
  • Affected versions of Office and Office components handle objects in memory.

 

MS16-134 (CVE-2016-0026, 3332, 3333, 3334, 3335, 3338, 3340, 3342, 3343, and 7184 )

This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.

The update addresses the vulnerabilities by correcting how CLFS handles objects in memory.

MS16-135 (CVE-2016-7246, 7214, 7215, 7218, and 7255)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

 

MS16-136 (CVE-2016-7249, 7250, 7251, 7252, 7253, and 7254)

This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The security update addresses these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

This security update is rated Important for supported editions of Microsoft SQL Server 2012 Service Packs 2 and 3, Microsoft SQL Server 2014 Service Packs 1 and 2, and Microsoft SQL Server 2016. 

 

MS16-137 (CVE-2016-7220, 7237, and 7238)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then install programs; view, change or delete data; or create new accounts. The attacker could subsequently attempt to elevate by locally executing a specially crafted application designed to manipulate NTLM password change requests.

The security update addresses the vulnerabilities by:

  • Updating Windows NTLM to harden the password change cache.
  • Changing the way that LSASS handles specially crafted requests.
  • Correcting how Windows Virtual Secure Mode handles objects in memory.

 

MS16-138 (CVE-2016-7223, thru 7226)

This security update resolves vulnerabilities in Microsoft Windows. The Windows VHDMP kernel driver improperly handles user access to certain files. An attacker could manipulate files in locations not intended to be available to the user by exploiting this vulnerability.

The security update addresses the vulnerabilities by correcting how the kernel API restricts access to these files.

MS16-139 (CVE-2016-7216)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.

The security update addresses the vulnerability by helping to ensure the kernel API correctly enforces access controls applied to this information.

MS16-140 (CVE-2016-7247)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.

The security update addresses the vulnerability by revoking affected boot policies in the firmware.

MS16-141 (APSB16-37)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for November 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

  Kelly Housman