December 2015 Patch Tuesday

BeyondTrust Research Team, December 8th, 2015

patch tuesday

December’s Patch Tuesday closes out the year with 12 bulletins, with half being rated as Critical. Memory corruption seems to be the majority leader of vulnerability types this month, accounting for the high number of Critical advisories. A few things to note before diving in – Edge receives a hefty round of patches, Windows Media Center is patched again for the same vulnerability we saw back in September, and Outlook contains a disturbing vulnerability that’s worth taking a closer look at.

MS15-124: Cumulative Security Update for Internet Explorer (3116180)

First off, Internet Explorer is patched for 30 issues covering a broad range of vulnerability types. IE contains 23 memory corruptions (the VBScripting engine being responsible for one…again), three cross-site scripting filter bypasses, two information disclosures, an elevation of privilege, and an ASLR bypass. This bulletin is rated Critical, no doubt due to the massive amount of memory corruption vulnerabilities which can potentially lead to remote code execution.

MS15-125: Cumulative Security Update for Microsoft Edge (3116184)

Up next is IE’s big brother. This month, Edge is patched for 15 vulnerabilities, the largest update set we’ve seen since its release. It contains ten memory corruptions, an elevation of privilege, an ASLR bypass, a spoofing vulnerability and a cross-site scripting bypass. Along with the amount of vulnerabilities patched in Edge this month, it shares many of the same CVEs as IE, raising questions about the overall security of the new browser.

MS15-126: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3116178)

JScript and VBScript make another appearance this month, addressing an information disclosure and a memory corruption vulnerability. Note that this bulletin is closely related to MS15-124 in that those who are running IE7 and below should apply this update, while those running IE8 and above should apply MS15-124.

MS15-127: Security Update for Microsoft Windows DNS to Address Remote Code Execution (3100465)

DNS receives a Critical update which addresses a Use-After-Free vulnerability that can lead arbitrary code execution in the context of the Local System Account. The issue occurs when a DNS server fails to properly parse specially crafted requests.

MS15-128:: Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)

Microsoft Graphics Component is patched for three memory corruption vulnerabilities allowing remote code execution. The issues lie within the Windows font library when handling embedded fonts. Typical attack scenarios involve convincing a victim to open a specially crafted document or visiting a malicious webpage.

MS15-129:: Security Update for Silverlight to Address Remote Code Execution (3106614)

Silverlight makes an appearance addressing a Critical remote code execution and two information disclosures vulnerabilities. The RCE vulnerability occurs when Silverlight incorrectly handles certain open and close requests, resulting in access violations. Typical exploitation involves an attacker hosting a specially crafted Silverlight application and convincing the victim to visit the malicious website. The exploit is limited to the context of the current user, so this serves as a good reminder to always utilize the principal of least privileges.

MS15-130:: Security Update for Microsoft Uniscribe to Address Remote Code Execution (3108670)

This bulletin resolves an integer underflow vulnerability within Uniscribe. The issue occurs when Uniscribe improperly parses a specially crafted font file, leading to remote code execution. Again, typical exploitation involves an attacker convincing the victim to open a malicious document or webpage.

MS15-131:: Security Update for Microsoft Office to Address Remote Code Execution (3116111)

Office clocks in this month with five memory corruptions and a serious remote code execution vulnerability. The RCE vulnerability exists specifically within Outlook and occurs when parsing specially crafted email messages. Successful exploitation can occur by simply previewing a malicious email and since Outlook automatically previews the last received e-mail, user interaction may not even be required!

MS15-132:: Security Update for Microsoft Windows to Address Remote Code Execution (3116162)

Windows itself is patched for three library loading vulnerabilities which can lead to remote code execution. Successful exploitation requires that an attacker have access to the local file system in order to place specially crafted library files within the same directory as the vulnerable application. For this reason, this bulletin is rated as Important.

MS15-133:: Security Update for Windows PGM to Address Elevation of Privilege (3116130)

Windows Pragmatic General Multicast (PGM) is patched for a use-after-free vulnerability which can lead to privilege escalation. The Microsoft Message Queuing (MSMQ) must be installed and PGM must be enabled for an attacker to successfully exploit. The vulnerability occurs when an attacker-induced race condition results in references to memory contents that have already been freed.

MS15-134:: Security Update for Windows Media Center to Address Remote Code Execution (3108669)

Windows Media Center returns for an information disclosure and another remote code execution vulnerability. Actually, it is the exact vulnerability which was supposedly patched in September. Apparently, Microsoft didn’t account for a variation of the original attack vector, when unicode is not utilized. The vulnerability can allow remote code execution when opening a specially crafted Media Center link file.

MS15-135:: Security Update for Windows Kernel-Mode Drivers to Address Elevation of Privilege (3119075)

And finally, the Windows kernel is patched for four elevation of privilege vulnerabilities. The issues exist due to the way the kernel handles objects in memory and can allow an attacker to run arbitrary code in kernel mode. The attacker would first need to log into the system and run a specially crafted application.