Patch Tuesday November 2016

BeyondTrust Research Team, November 9th, 2016

Patch Tuesday

November’s Patch Tuesday ushers in a hefty 14 bulletins – 6 critical and 8 important. This cycle marks the second month utilizing the new rollup process for certain operating systems, with Vista and 2008 still requiring individual patching. Curiously, Internet Explorer comes last in the list (it’s usually first), most likely due to the Out-Of-Band patch (MS16-128), which came out in late October.

MS16-129: Cumulative Security Update for Microsoft Edge (3199057)

First off, Edge is patched for a whopping 17 vulnerabilities consisting of 4 memory corruptions within the browser itself, 8 memory corruptions within the scripting engine, 4 information disclosures, and a spoofing vulnerability, making this update one of the largest to date for the Edge browser. Microsoft has, appropriately rated this bulletin as critical as the multiple memory corruptions could result in arbitrary code execution.

MS16-130: Security Update for Windows OLE to Address Remote Code Execution (3143136)

Next up, this bulletin resolves 2 memory corruption vulnerabilities within Windows OLE which can lead to remote code execution. The issue stems from OLE not properly handling objects in memory typically parsed through an embedded file. At the time of this bulletin’s publication, there were no reports of this these vulnerabilities being actively exploited.

MS16-131: Security Update for Microsoft Video Control (3199151)

This bulletin resolves an issue with Microsoft Video Control which can lead to remote code execution, making this critically rated update. To exploit the vulnerability an attacker would have to convince a user to open a specially crafted file or visit a malicious website.

MS16-132: Security Update for Microsoft Graphics Component (3199120)

Graphics components returns to the scene with some interesting vulnerabilities – an information disclosure and memory corruption within Open Type Font parsing, a memory corruption within animation manager, and a memory corruption within Media Foundation. An attacker could leverage these vulnerabilities to execute arbitrary code on a remote system. Microsoft has received reports that the Open Type Font parsing vulnerability was being actively exploited prior to this bulletin being published, so this is an update you do not want to miss.

MS16-133: Security Update for Microsoft Office (3199168)

Up Next, Office undergoes a hefty update resolving an information disclosure, 10 memory corruptions, and a denial of service vulnerability. The memory corruption vulnerabilities are the more severe vulnerabilities because they can potentially lead to remote code execution, making this bulletin critically rated.

MS16-134: Security Update for Common Log File System Driver (3193706)

Bringing a rather unusual face to this Patch Tuesday, multiple vulnerabilities in the Common Log File System Driver have been discovered. All of these vulnerabilities have the same impact, elevation of privilege. To exploit these vulnerabilities, an attacker would first have to gain access to the vulnerable system, and then run a specially crafted application to gain the elevated privileges. To solve this issue, Microsoft has fixed how the Common Log File System Driver handles objects in memory.

MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)

Back to the usual suspects, Kernel-Mode Drivers have returned to Patch Tuesday with an important update that fixes multiple vulnerabilities. The vulnerabilities have impacts of elevation of privilege and sensitive information disclosure. To exploit the vulnerability, an attacker would need to have access to the vulnerable system, and run a specially crafted application to exploit the vulnerability of their choice. Microsoft has once again fixed the issue by applying the usual memory remedies.

MS16-136 – Important: Security Update for SQL Server (3199641)

Another unusual face on this Patch Tuesday, SQL Server has a handful of vulnerabilities. Impact of these vulnerabilities range from elevation of privilege, information disclosure, and cross-site-scripting (XSS). To exploit the XSS vulnerability, the attacker could inject a client-side script into the user’s instance of Internet Explorer, allowing for the attacker to take any action that the user could take on the site. To disclose information, an attacker could supply a malicious file-stream path, causing the SQL server to improperly handle the request and spill the proverbial beans. To elevate privileges, an attacker would need to supply a malicious ACL to atxcore.dll.

MS16-137: Security Update for Windows Authentication Methods (3199173)

Windows Authentication Methods make a semi-casual appearance this Patch Tuesday. The impact of the vulnerabilities discovered range from information disclosure, denial of service, and elevation of privilege. The information disclosure is tied to a memory handling error, and can be exploited by an attacker who runs a specially crafted application. On its own, the information disclosure is not sufficient for an attacker to compromise the system, but when combined with other vulnerabilities the dangers are sufficient enough to warrant a patch. To cause a denial of service, an attacker could send a maliciously crafted request to the Local Security Authority Subsystem (LSASS), and cause the target system to become unresponsive. To elevate privileges, an attacker would have to authenticate either to the target or a domain-joined system using valid user credentials, and then run a specially crafted application to manipulate the NTLM password change requests into granting the user additional privileges.

MS16-138: Security Update for Microsoft Virtual Hard Disk Driver (3199647)

Multiple privilege escalations have been discovered in Microsoft Virtual Hard Drive. The issue stems from how the Windows VHDMP kernel mishandles user access for certain files and could allow an attacker to manipulate them in restricted locations. This is addressed in the update by correcting how the kernel API handles access to these files.

MS16-139: Security Update for Windows Kernel (3199720)

This bulletin resolves a privilege escalation vulnerability within the Windows kernel due to how it handles permissions for certain files and folders. An attacker has to be locally-authenticated to take advantage of this and would have to run a specially crafted application. As we have seen with similar issues, Microsoft has made sure that kernel handles permissions properly.

MS16-140: Security Update for Boot Manager (3193479) 

Next up, Boot Manager is patched for a security feature bypass which can allow an attacker to disable key features that help protect the boot process. If the attacker had physical access or administrative rights, they could load test-signed executables or drivers on the target system. The security update prevents this by revoking affected boot policies in firmware.

MS16-141: Security Update for Adobe Flash Player (3202790)

This bulletin resolves 10 vulnerabilities within Adobe Flash Player which an attacker can leverage by convincing a user to visit a specially crafted webpage or by viewing a malicious email message, for example. Note that this bulletin corresponds to Adobe’s APSB16-37 advisory.

MS16-142: Cumulative Security Update for Internet Explorer (3198467)

Oddly enough, Internet Explorer is last in this month’s patch cycle. Multiple remote code execution vulnerabilities have been discovered in the way that IE handles objects in memory. A typical attack scenario would be for an attacker to convince a user to visit a malicious website. The attacker could then corrupt memory in a way that could allow them to execute arbitrary code in the context of the current user. This is always dangerous because if the user had administrative rights, then the attacker could take complete control of the system.