Hello everyone,

This is Kelly Housman with the Microsoft Patch Tuesday newsletter for December 13, 2016.

Sorry for the delay, we are experiencing some issues with the publishing tool for the MTIS reports.

The MTIS links below is to the main reports page, and once MTIS16-063 and MTIS16-064 are posted they’ll show in the list.

 

Welcome to the December Patch Tuesday update. This month was average month where Microsoft released a total of Twelve (12) new security bulletins, including one for Adobe Flash . For this month, Six (6) of these are rated Critical. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The remaining Six(6) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

  This month’s patches include the following:

Bulletin Number

KB Number

Title

Bulletin Rating (highest )

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS16-144

3204059

Cumulative Security Update for Internet Explorer

Critical

-Memory Corruption

-Information Disclosure

-Security Feature Bypass

MTIS16-063

Covered Products:

  • BOP
  • HIPS
  • NSP
  • Vulnerability Manager
  • App Control

Under Analysis:

  • DAT
  • Web Gateway
  • Firewall Enterprise

MS16-145

3204062

Cumulative Security Update for Microsoft Edge

Critical

-Memory Corruption

-Information disclosure

-Security Feature Bypass

MTIS16-063

Covered Products:

  • NSP
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-146

3204066

Security Update for Microsoft Graphics Component

Critical

-Remote Code Execution

-Information Disclosure

MTIS16-063

Covered Products:

  • NSP
  • BOP
  • HIPS
  • Application Control
  • Vulnerability Manager

Under Analysis:

  • Web Gateway
  • DAT
  • Firewall Enterprise

MS16-147

3204063

Security Update for Microsoft Uniscribe

Critical

-Remote Code Execution

MTIS16-063

Covered Products:

  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-148

3204068

Security Update for Microsoft Office

Critical

-Memory Corruption

- Security Bypass

- Information Disclosure

-DLL side loading

-Elevation of Privileges

MTIS16-064

Covered Products:

  • Application Control
  • Vulnerability Manager
  • BOP
  • HIPS
  • NSP
  • Under Analysis:
  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-149

3205655

Security Update for Windows

Important

-Memory Corruption

-Information Disclosure

 

MTIS16-064

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-150

3205642

Security Update for Windows Secure Kernel Mode

Important

-Elevation of Privileges

MTIS16-064

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-151

3205651

Security Update for Kernel-Mode Driver

Important

-Elevation  of Privilege

MTIS16-064

Covered Products:

  • Host IPS
  • NSP
  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise

MS16-152

3199709

Security Update for Windows Kernel

Important

-Memory Information Disclosure

MTIS16-064

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS16-153

3207328

Security Update for Common Log File System Driver

Important

-Information Disclosure

MTIS16-064

Covered Products:

  • Vulnerability Manager
  • NSP

Under Analysis:

  • Firewall Enterprise

MS16-154

3209498

Security Update for Adobe Flash Player

Critical

-N/A

MTIS16-064

  • N/A

MS16-155

3205640

Security Update for .NET Framework

Important

-Information Disclosure

MTIS16-064

Covered Products:

  • Vulnerability Manager

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS16-144 (CVE-2016-7202, 7278, 7279, 7281, 7282, 7283,7284, and 7287)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

The update addresses the vulnerabilities by correcting how:

  • Microsoft browser and affected components handle objects in memory
  • Microsoft browser checks Same Origin Policy for scripts running inside Web Workers
  • Scripting engines handle objects in memory

MS16-145 (CVE-2016-7181, 7206, 7279, 7280, 7281, 7282, 7286, 7287, 7288, 7296, and 7297)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10 and Windows Server 2016.

The update addresses the vulnerabilities by:

  • Microsoft browser and affected components handle objects in memory
  • Microsoft browser checks Same Origin Policy for scripts running inside Web Workers
  • Scripting engines handle objects in memory

MS16-146 (CVE-2016-7257, 7272, and 7273)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update addresses the vulnerabilities by correcting how the Windows GDI component handles objects in memory.

MS16-147 (CVE-2016-7274 )

This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update addresses the vulnerability by correcting how Windows Uniscribe handles objects in memory.

 

MS16-148 (CVE-2016-7257, 7262, 7263, 7264, 7265, 7266, 7267, 7268, 7275, 7276, 7277, 7289, 7290, 7291, 7298, and 7300)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

 

The security update addresses the vulnerabilities by correcting how:

  • Microsoft Office initializes variables.
  • Microsoft Office validates input
  • Microsoft Office rechecks registry values
  • Microsoft Office parses file formats
  • Affected versions of Office and Office components handle objects in memory
  • Microsoft Office for Mac Auto-update Validates Packages.

MS16-149 (CVE-2016-7219 and 7292)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.

The security update addresses the vulnerabilities by:

  • Correcting how a Windows crypto driver handle objects in memory.
  • Correcting the input sanitization error to preclude unintended elevation.

MS16-150 (CVE-2016-7271 )

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

The update addresses the vulnerability by correcting how Windows Secure Kernel Mode handles objects in memory properly enforce VLTs.

MS16-151 (CVE-2016-7259 and 7260)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

 

MS16-152 (CVE-2016-7258)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.

 

The security update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. 

 

MS16-153 (CVE-2016-7295)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Information Disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.

The update addresses the vulnerability by correcting how CLFS handles objects in memory.

MS16-154 (N/A)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB16-39.

MS16-155 (CVE-2016-7270)

This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.

The security update addresses the vulnerability by correcting the way .NET Framework handles the developer-supplied key, and thus properly defends the data.

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

You can also review the Microsoft Summary for December 2016 at the Microsoft site.

 

Safe Computing!

Thank you,

Kelly Housman