Microsoft Patch Tuesday, November 2015

November's Patch Tuesday marks a return to business as usual. Where October was a rather light month for bulletins, November brings back to the same patch levels we saw in September and August. This month there are a total of twelve bulletins, with four rated Critical and eight rated Important, representing a total of 53 individual CVEs. As usual, perennial vulnerability contributor Internet Explorer represents 25 of those vulnerabilities.

Also in the Critical list the new Edge browser showed up to the patch party with four vulnerabilities, the most severe of which can lead to remote code execution. The last two Critical bulletins are ones that we see pop up every couple of months. One is in Windows Journal where a maliciously crafted Journal file could result in arbitrary code execution in the context of the user that opens the file. The last one is in OpenType fonts that would allow an attacker to trigger arbitrary code execution by embedding malicious OpenType fonts in a document or web page and then convincing a user to open the document.

MS15-112
CVE-2015-2427, CVE-2015-6064, CVE-2015-6065, CVE-2015-6066, CVE-2015-6068, CVE-2015-6069, CVE-2015-6070, CVE-2015-6071, CVE-2015-6072, CVE-2015-6073, CVE-2015-6074, CVE-2015-6075, CVE-2015-6076, CVE-2015-6077, CVE-2015-6078, CVE-2015-6079, CVE-2015-6080, CVE-2015-6081, CVE-2015-6082, CVE-2015-6084, CVE-2015-6085, CVE-2015-6086, CVE-2015-6087, CVE-2015-6088, CVE-2015-6089
Critical
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

MS15-113
CVE-2015-6064, CVE-2015-6073, CVE-2015-6078, CVE-2015-6088
Critical
Cumulative Security Update for Microsoft Edge

This security update resolves vulnerabilities in Microsoft Edge. The more severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

This security update is rated Critical for Microsoft Edge on Windows 10.

MS15-114
CVE-2015-6097
Critical
Security Update for Windows Journal to Address Remote Code Execution

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Journal file.

This security update is rated Critical for all supported editions of Windows Vista and Windows 7, and for all supported non-Itanium editions Windows Server 2008 and Windows Server 2008 R2.

MS15-115
CVE-2015-6100, CVE-2015-6101, CVE-2015-6102, CVE-2015-6103, CVE-2015-6104, CVE-2015-6109, CVE-2015-6113
Critical
Security Update for Microsoft Windows to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted webpage that contains embedded OpenType fonts.

This security update is rated Critical for all supported releases of Windows.

MS15-116
CVE-2015-2503, CVE-2015-6038, CVE-2015-6091, CVE-2015-6092, CVE-2015-6093, CVE-2015-6094, CVE-2015-6123
Important
Security Updates for Microsoft Office to Address Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Specific configurations of Microsoft Office 2007, 2010, and 2013 are affected. Please see main Microsoft bulletin for full matrix of affected software.

MS15-117
CVE-2015-6098
Important
Security Update for NDIS to Address Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows NDIS. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.

This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

MS15-118
CVE-2015-6096, CVE-2015-6099, CVE-2015-6115
Important
Security Updates for .NET Framework to Address Elevation of Privilege

This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an attacker could inject a client-side script in a user's browser. The script could then spoof content, disclose information, or take any action that the user could take on an affected website. However, attempts to exploit this vulnerability would require user interaction.

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, Microsoft .NET Framework 4.5.2, and Microsoft .NET Framework 4.6 on affected releases of Microsoft Windows.

MS15-119
CVE-2015-2478
Important
Security Update in Winsock to Address Elevation of Privilege

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs specially crafted code that is designed to exploit the vulnerability.

This security update is rated Important for all supported releases of Microsoft Windows

MS15-120
CVE-2015-6111
Important
Security Update for IPSec to Address Denial of Service

This security update resolves a denial of service vulnerability in Microsoft Windows. An attacker who successfully exploited the vulnerability could cause the system to become nonresponsive. To exploit the vulnerability an attacker must have valid credentials.

This security update is rated Important for all supported releases of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

MS15-121
CVE-2015-6112
Important
Security Update to Schannel to Address Spoofing

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow spoofing if an attacker performs a man-in-the-middle (MiTM) attack between a client and a legitimate server.

This security update is rated Important for all supported releases of Microsoft Windows excluding Windows 10.

MS15-122
CVE-2015-6095
Important
Security Update for Kerberos to Address Security Feature Bypass

This security update resolves a security feature bypass in Microsoft Windows. An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key.

This security update is rated Important for all supported editions of Windows.

MS15-123
CVE-2015-6061
Important
Security Update for Skype for Business and Lync to Address Information Disclosure

This security update resolves a vulnerability in Microsoft Lync. The vulnerability could allow information disclosure if an attacker invites a target user to an instant message session and then sends that user a message containing specially crafted JavaScript content.

This security update is rated Critical for all supported editions of Skype 2016, Microsoft Lync 2013, and Microsoft Lync 2010; it is also rated Important for certain Microsoft Lync Room System components.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.