Patch Tuesday December 2016

BeyondTrust Research Team, December 14th, 2016

Patch Tuesday

In this final Patch Tuesday of the year, Microsoft provides a total of 12 bulletins addressing vulnerabilities within the typical products such as IE, Edge, and Office. Some new faces also make an appearance with Uniscribe and The Auto-Updater for Office On Mac systems. Out of the 12 bulletins, half are rated critical while the other half are rated important.

MS16-144: Cumulative Security Update for Internet Explorer (3204059)

Starting things off, Internet Explorer is patch for a total of 8 vulnerabilities consisting of 4 memory corruptions, 3 information disclosures, and a security feature bypass. The memory corruptions are the most severe, which can allow remote attackers to execute arbitrary code by hosting a malicious website and convincing a victim to browse to it.

MS16-145: Cumulative Security Update for Microsoft Edge (3204062)

Up next, Edge is patched for even more vulnerabilities than IE, clocking in with 11 vulnerabilities total consisting of 7 memory corruptions, 3 information disclosures, and 1 security feature bypass. Again, the most severe of these are the memory corruption vulnerabilities, making this bulletin critically-rated.

MS16-146: Security Update for Microsoft Graphics Component (3204066)

As a returning usual suspect, more vulnerabilities have been found in Microsoft Graphics Component. The worst of these vulnerabilities could result in Remote Code Execution, and one vulnerability discloses information as to the graphic’s memory contents. There are multiple ways in which an attacker can exploit this vulnerability, they can convince a user to open a crafted document, or visit a malicious webpage. This update applies the usual memory handling remedies to solve the problem.

MS16-147: Security Update for Microsoft Uniscribe (3204063)

As a new face on Patch Tuesday, Microsoft Uniscribe has been found to contain a critical vulnerability that could lead to remote code execution. Since this is a new face, an introduction is in order. Uniscribe is a set of APIs that allow a high degree of control for fine typography and for processing complex scripts. Both complex scripts and simple scripts with fine typography effects require special processing to display and edit because the characters (“glyphs”) are not laid out in a simple way. For complex scripts, the rules governing the shaping and positioning of glyphs are specified and catalogued in The Unicode Standard. In short, Uniscribe is a font processing API for Unicode based fonts. An attacker could exploit this vulnerability by either luring a victim to a malicious website, or view a malicious website.

MS16-148: Security Update for Microsoft Office (3204068)

This bulletin resolves a whopping 11 Office vulnerabilities consisting of 4 memory corruptions, a DLL side-loading vulnerability, 3 security feature bypasses, 2 information disclosures, and a privilege escalation for the auto-updater on Mac systems.

MS16-149: Security Update for Microsoft Windows (3205655)

It wouldn’t be Patch Tuesday without security updates to Windows itself. Windows contains two important-rated vulnerabilities, one for information disclosure and the other for privilege escalation. The information disclosed leaks memory content information to the user when Windows Crypto runs in kernel mode. To exploit this vulnerability, an attacker would have to log onto the system and run a specially crafted application. The escalation of privilege vulnerability results from improper input sanitization that leads to insecure library loading behavior in Windows Installer.

MS16-150: Security Update for Windows Secure Kernel Mode (3205642)

“Secure” Kernel Mode comes bearing a vulnerability as a gift this holiday season. This vulnerability is rated as important, and results in elevation of privilege. Due to improper memory handling, an attacker can violate the VTL (virtual trust levels) of Windows. A locally-authenticated attacker could attempt to exploit the vulnerability by running a specially crafted application on the target system. The update applies the usual memory handling fixes to properly enforce VTL.

MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651)

Microsoft addresses two privilege escalation flaws that exists in the Windows graphics component and kernel mode driver.  This is particularly dangerous because of the range of affected operating systems and the ability to take control over the system. In CVE-2016-7259, an attacker would have to craft a special application to take advantage of how the graphics component improperly handles objects in the memory. This could lead to attacker running processes in elevated context. CVE-2016-7260 is less severe because the attacker has to be logged in to the affected system to exploit the vulnerability. After an attacker obtains access, they can run a special application to take advantage on how the kernel-mode driver handles objects in memory. These two vulnerabilities were resolved by Microsoft by addressing how these components handle objects in memory.

MS16-152: Security Update for Windows Kernel (3199709)

Windows Kernel makes a casual appearance this month, containing an important rated information disclosure vulnerability. Kernel Memory Addresses can be leaked when the kernel fails to properly handle certain page fault system calls. An authenticated attacker who successfully exploited the vulnerability could disclose information from one process to another. To exploit the vulnerability, an attacker would have to log on locally to an affected system, or convince a local user to execute a crafted application. The patch changes how the Windows Kernel handles certain page fault system calls.

MS16-153: Security Update for Common Log File System Driver (3207328)

A flaw has been discovered in Common Log File System driver which is the result of CLFS improperly handling objects in its memory. An attacker to could run an application to bypass security and further exploit the machine. Microsoft has fixed this by addressing how CLFS driver handles objects in memory.

MS16-154: Security Update for Adobe Flash Player (3209498)

This bulletin addresses vulnerabilities related to Adobe’s security bulletin APSB16-39 which resolves 16 vulnerabilities within Flash. This bulletin serves as a reminder to be extra careful when following links from emails and other less the trustworthy sources.

MS16-155: Security Update for .NET Framework (3205640)

.NET Framework is patched for an information disclosure resulting from improper handling of developer-supplied keys, which is usually protected by the Always Encrypted feature. An attacker could potentially decrypt data utilizing an easily guessable key.