Microsoft Patch Tuesday, December 2016

December's Patch Tuesday is here to greet you with the pleasant tidings of patches for all of your (currently known Microsoft) vulnerabilities. It's a big release just in time for the holidays with 12 bulletins covering 48 CVEs. Five of the bulletins are rated Critical with the typical software still being patched. This includes the monthly trio of the Internet Explorer and Edge browsers as well as the Adobe Flash engine embedded in said browsers. The Windows Graphics Component (GDI) is also back affecting documents and websites that can be made to trigger arbitrary code in the context of the logged in user. Speaking of GDI, new to the bulletin list is a critical vulnerability in Windows Uniscribe. The Uniscribe engine is used by Windows to render Unicode text. Similar to the vulnerabilities in GDI, a malicious document or website can exploit a vulnerability in Uniscribe that can trigger arbitrary code execution.

Of the bulletins rated Important, the majority are local privilege escalation vulnerabilities in Windows or the Windows Kernel. Combining arbitrary code execution vulnerabilities (like those found in the Critical bulletins this month) with a privilege escalation vulnerability is a typical path attackers use to get system level code to execute on a system. Microsoft Office also gets patched again this month to repair more arbitrary code execution vulnerabilities. Finally a vulnerability in the .NET Framework could allow an attacker to access data that is supposed to be protected by an "Always Encrypted" feature.

This month the most risk resides in the client side of the Microsoft product suite. Users should patch as soon as possible and, as always, be cautious about the documents they open or the websites they browse to. Happy Holidays to one and all and may your year end malware free!

MS16-144
CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284, CVE-2016-7287
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS16-145
CVE-2016-7181, CVE-2016-7206, CVE-2016-7279, CVE-2016-7280, CVE-2016-7281, CVE-2016-7282, CVE-2016-7286, CVE-2016-7287, CVE-2016-7288, CVE-2016-7296, CVE-2016-7297
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

This security update is rated Critical for Microsoft Edge on Windows 10 and Windows Server 2016.

MS16-146
CVE-2016-7257, CVE-2016-7272, CVE-2016-7273
Critical
Security Update for Microsoft Graphics Component

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported releases of Microsoft Windows

MS16-147
CVE-2016-7274
Critical
Security Update for Microsoft Uniscribe

This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported releases of Microsoft Windows

MS16-148
CVE-2016-7257, CVE-2016-7262, CVE-2016-7263, CVE-2016-7264, CVE-2016-7265, CVE-2016-7266, CVE-2016-7267, CVE-2016-7268, CVE-2016-7275, CVE-2016-7276, CVE-2016-7277, CVE-2016-7289, CVE-2016-7290, CVE-2016-7291, CVE-2016-7298, CVE-2016-7300
Important
Security Update for Microsoft Office

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

See full Microsoft bulletin for affected versions of Microsoft Office.

MS16-149
CVE-2016-7219, CVE-2016-7292
Important
Security Update for Windows

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-150
CVE-2016-7271
Important
Security Update for Windows Secure Kernel Mode

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

This security update is rated Important for all supported editions of Windows 10 and Windows Server 2016.

MS16-151
CVE-2016-7259, CVE-2016-7260
Important
Security Update for Kernel-Mode Driver

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.

This security update is rated Important for all supported releases of Windows.

MS16-152
CVE-2016-7258
Important
Security Update for Windows Kernel

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.

This security update is rated Important for all supported versions of Windows 10 and Window Server 2016.

MS16-153
CVE-2016-7295
Important
Security Update for Common Log File System Driver

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Information Disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.

This security update is rated Important for all supported releases of Microsoft Windows.

MS16-154
Adobe Bulletin APSB16-39
Critical
Security Update for Adobe Flash Player

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.

MS16-155
CVE-2016-7270
Important
Security Update for .NET Framework

This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework's Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature. The security update addresses the vulnerability by correcting the way .NET Framework handles the developer-supplied key, and thus properly defends the data.

This security update is rated Important for Microsoft .NET Framework 4.6.2.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.