With 2016 almost coming to an end its departure, Microsoft released their one last ‘Patch Tuesday‘ update for the year. This update has by far the maximum number of security updates released in a single patch. It features 6 critical patches, with the remaining 6 rated as important. It covered 34 specific flaws, all of which if oppressed could lead to Remote Code Execution. So get ready for restarts. It is advantageous to not delay the deployment of these patches. Since 3 of them, address vulnerabilities which have been publicly released.
The critical defects are explained in bulletins MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, and MS16-154. They are stated to overcome vulnerabilities in Windows, Internet Explorer, Edge, and Office. More exactly, the glitch Windows 10 users were facing while connecting to the internet after the last wave of patches released by Microsoft.
MS16-144 is released to address an embarrassment of bugs in Internet Explorer. It also fixes a couple of glitches which tend to reason information leaks and one that could lead to a breach of info in Windows hyperlink object library. This patch will be involved in the December monthly security update for Windows.
Here are the publicly disclosed flaws
- CVE-2016-7282 – a Microsoft browser information disclosure vulnerability.
- CVE-2016-7281 – the Microsoft browser security feature bypass bug.
- A CVE-2016-7202 – a scripting engine memory corruption anomaly.
This update has been rated “Patch Now”, mainly for the reason that of the severity of the issue it is designated to fix. MS16-144 will be useful to all presently supported versions of IE.
MS16-145 renovates numerous of the reported bugs in Microsoft’s ‘new and improved’ Edge browser. The number of reported glitches are surprisingly even more than Internet Explorer that is faulted with 11 flaws. MS16-145 solves these critical issues.
- 5 of the usual scripting engine flaws.
- Two of the memory corruption bug.
- A security feature bypass.
MS16-146 inclines to patch critical Remote Code Execution vulnerabilities in the Microsoft Graphics Component of Windows. Besides, it fixes the Windows GDI information disclosure flaw. All these vulnerabilities are confidentially reported. The patch is to replace last month’s graphic component update for all Windows 10 and Server 2016 systems.
It is also the second patch for Windows Security Only or “roll-up” update for this month.
MS16-147 is released to merely address a staunch liability in Windows Uniscribe. The bug is stated to set-off a Remote Code Execution scenario. That is if users visit a particularly crafted website or open a particularly crafted document. It is certainly something we don’t see every month.
For those who don’t know, the Uniscribe component is a group of API’s, which are meant to handle typography in Windows for different languages.
The MS16-148 is released to address a copious of Remote Code Execution vulnerabilities. The 16 confidentially inscribed flaws persist in Microsoft Office. The severity of the glitches can be determined by the fact that if left unpatched, they could lead to a Remote Code Execution scenario on the target system. Here’s the list of glitches:
- Four memory corruption bugs.
- An Office OLE DLL side-loading problem.
- A bug that discloses critical GDI info along with several others.
The MS16-154 patch is a covering and remediates crucial flaws in the Adobe Flash Player. This is possibly the most dangerous issue if left unpatched. It is stated to fix 17 glitches including one flaw that is presently running in the wild. Microsoft has unpredictably suggested a justifying factor for this issue. It is surprising because the company typically never does that. The workaround is to Uninstall Flash completely.
Reports regarding a zero-day vulnerability have been received, which succeeded to negotiation 32-bit Internet Explorer systems. So, this is a critical “Patch Now” update.
- Four buffer overflow bugs.
- Five memory corruption concerns that could potentially cause Remote Code Execution.
The patch is issued to resolve two privately reported issues in Windows.
- A Windows crypto information expose flaw that involves object handling in memory.
- A bug that leads to elevation of honor in Windows cryptography component.
MS16-149 will be added to this month’s security roll-up.
This is a security update for a single vulnerability, conveyed privately. MS16-150 regards to Windows Kernel’s persisting issue that could compromise user privileges. It is mainly produced by mishandling objects in memory.
MS16-151 attempts to overhaul a couple of minor bugs. Each privately conveyed and are estimated to cause minimal harm. One is related to the Win32k EoP flaw in Windows Kernel mode drivers. The other problem it addresses is the Windows graphics component, mishandling objects in memory.
MS16-152 is a security patch for Windows Kernel and objects to address a single liability. It is secretly reported vulnerability in Windows Kernel that only affects Windows 10 and Server 2016 systems. The bug is known to cause information expose, at worst. This patch will be bundled with the Windows monthly roll-up.
This patch resolves a single information disclosure glitch, also privately stated. The bug continues in a Windows driver sub-system, initiated by updating the Common Log File System (CLFS).
MS16-155 repairs a .NET framework liability. Microsoft noted that the bug is publicly disclosed but is not being exploited. It is theoretically a lower risk vulnerability and has its own update package. Therefore, it has been spared from insertion in the Windows quality and security roll-ups.
That is sufficient you need to know about each security update of this year’s final Patch Tuesday. So until next year, Happy Patching.