Yesterday was this year’s last Patch Tuesday, with Microsoft pushing out updates for many versions of its operating system. We’ve already seen some of the bugfixes and changes that came as part of this update wave. But now, we also know some of the security fixes that were patched last night.
With this final patch release for 2016 Microsoft published 11 security bulletins, six of which address critical issues found in Windows, Internet Explorer, Microsoft Edge, Office, and the .NET framework. As you can see that spans quite the gamut of Microsoft products, so let’s jump in and see what got fixed.
- MS16-144 addresses a series of vulnerabilities deemed to be Critical by the company’s severity rating system, that could compromise Internet Explorer and the system it’s installed on. By exploiting the security flaws available previous to this patch, an attacker could get full control over an affected system. The attacker would need to chain exploits together by tricking a user into viewing a malicious website, elevating his privileges on the target machine and then taking full control.
- MS16-145 relates to an issue in Microsoft Edge, also deemed to be Critical. By viewing a malicious website, a user’s machine could be hacked and the attacker might gain the same user rights as the victim. Users operating with fewer rights would be less impacted than those operating as administrators.
- MS16-146 is the third bulletin for this month dealing with a Critical issue, that could allow for remote code execution. This related to the Microsoft Graphics Component, which has received numerous security patches over the past few months. If an attacker tricks the user into opening a malicious website or document, he could get the same level of control over the machine as the user.
- MS16-147 has to do with Microsoft Uniscribe, a set of APIs that allow for control for fine typography and for processing complex scripts. This issue is also deemed to be Critical, as an attacker could gain the same privileges as the current user, if the victim opens a malicious website or document.
- MS16-148 is the final Critical patch to come out of Microsoft for this season. It has to do with Microsoft Office, Office Services and Office Web Apps. An attacker could end up running code remotely, with the same degree of freedom as the current user if the victim opens a malicious Microsoft Office file.
- MS16-149 deals with an escalation of privileges issue in Microsoft Windows, and is deemed to be an Important patch. An attacker could gain administrative privileges over a system, if he ran a specially created application. However, the attacker would need to be local and already be authenticated on the system.
- MS16-150 and MS16-151 have to do with Windows Kernel Mode and Kernel-Mode Drivers. An attacker could gain administrative privileges over a system if he’s able to locally run a specially crafted script.
- MS16-152 and MS16-153 fix issues where Windows could end up leaking information in some scenarios. The first bulletin addresses a flaw with the way the Windows Kernel handles objects in memory, while the second one has to do with the Common Log File System Driver (CLFS). In this latter scenario an attacker could trick Windows into disclosing information by running a specially crafted application locally.
- MS16-155 may be the last security update to come out of Redmond for 2016 and it addresses security flaws in the .NET Framework. Deemed to be an Important issue, this flaw allowed an attacked to access information defended by the “Always Encrypted” features in some versions of .NET 4.6.2.
- Finally, MS16-154 is the last security update on our list and it’s deemed to be a Critical one as some of these flaws are already being exploited in the wild. However, this patch isn’t from Microsoft, but rather from Adobe, and it fixes a number of issues found in Flash Player.
As usual we recommend you stay up to date with all security patches published by Microsoft, though in this case, you might want to be aware of an issue related to internet connectivity with these latest updates.