Patch Tuesday 2016: Microsoft has acted to fix 68 vulnerabilities including 6 that had been rated critical. The updates have been spread over fourteen security bulletins. The updates include fixes for 2 vulnerabilities that are presently being actively exploited including the CVE-2016-7255 vulnerability that was announced by Google in October 2016.
Google decided to announce the vulnerability within 10 days of informing Microsoft about the issue, despite the fact that Microsoft’s policy concerning the issue of updates would result in the vulnerability being public for some time prior to the release of a fix. Google’s policy is to issue alerts within one week if vulnerabilities are being exploited. If there is no evidence of vulnerability exploitation, Google gives companies with 3 months to address the flaws or publish advice that will mitigate the threat.
As it was known that the CVE-2016-7255 vulnerability was indeed being exploited by hackers based in Russia, i.e. Fancy Bear/Strontium/APT28, the decision to publish information about the flaw was quickly made. Microsoft have been critical of Google’s decision, arguing that it could serve to put users at a greater risk of attack.
This particular vulnerability is found in Windows kernel and may be exploited to permit the elevation of privileges should a hacker log in to an infected system and run a specifically designed application. The Microsoft update effects changes to the way in which the Windows kernel-mode driver deals with items in memory. The patch that rectifies the vulnerability is called MS16-135. Administrators have been advised to prioritize this update, together with MS16-132.
MS16-132 is a Microsoft Graphics Component security update which serves to fix four known flaws, i.e. CVE-2016-7205, CVE-2016-7210, CVE-2016-7217, and CVE-2016-7256. One exploit has already been identified for CVE-2016-7256 – This is an open type font remote code execution vulnerability that may be exploited by an attacker using specially designed fonts in websites and/or documents. Attacks which exploit this vulnerability have the potential to be used to completely take over an affected system.
Collective updates which address seventeen vulnerabilities have now been published for Edge and Internet Explorer. A number of those vulnerabilities could potentially lead to remote code execution. It is believed that none have been exploited in the wild, even though 2 had already been publicly revealed. Furthermore, an Adobe Flash update for both Edge and IE has been released.
Although not having received a “critical” rating, the MS Office update should be prioritized by users. None of the identified flaws are being exploited, however the update rectifies ten vulnerabilities that may result in remote code execution if left unpatched.
An update that resolves six vulnerabilities has also been issued for Microsoft SQL Server, however there is no evidence that any are currently being exploited. Should they be exploited, the vulnerabilities may permit attackers to create new – or modify existing – user accounts, and interfere with data.
