The final patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 12 bulletins addressing 48 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Microsoft Graphics Components, Microsoft Uniscribe, and Adobe Flash Player. The remaining seven bulletins are rated important and address vulnerabilities in various Windows components including kernel, crypto driver, and installer.
Bulletins Rated Critical Microsoft bulletins MS16-144 through MS16-148 and MS16-154 are rated as critical in this month's release.
MS16-144 is the Internet Explorer bulletin for this month. It addresses a total of nine vulnerabilities, including various memory corruption (CVE-2016-7202, CVE-2016-7279, CVE-2016-7283, CVE-2016-7287, CVE-2016-7293), security feature bypasses (CVE-2016-7281, CVE-2016-7282), and information disclosure bugs (CVE-2016-7278, CVE-2016-7284). The most severe of these vulnerabilities could result in remote code execution if a user visited a specially crafted webpage using Internet Explorer. The vulnerabilities affect Internet Explorer versions 9, 10, and 11. The severity of the vulnerabilities is related to the version of Internet Explorer and Windows being used. Windows Vista, 7, 8.1, and 10 are all affected. Additionally, Windows Server 2008, 2012, and 2016 are also impacted. Note that the Windows Server vulnerabilities are rated as moderate, as opposed to the client versions which are all rated critical.
MS16-145 is the Edge browser bulletin for this month. It addresses a total of 11 vulnerabilities, including various memory corruption (CVE-2016-7181, CVE-2016-7279, CVE-2016-7286, CVE-2016-7287, CVE-2016-7288, CVE-2016-7296, CVE-2016-7297), security feature bypasses (CVE-2016-7281, CVE-2016-7282) and information disclosure bugs (CVE-2016-7206, CVE-2016-7280). The most severe of these vulnerabilities could result in remote code execution if a user visited a specially crafted webpage using Internet Explorer. The vulnerabilities only affect Windows 10 and Windows Server 2016. The Windows 10 vulnerabilities are all rated critical and the Windows Server 2016 vulnerability is rated as moderate.
MS16-146 is the bulletin addressing three vulnerabilities in the Windows Graphics Component. The most severe of these vulnerabilities could result in remote code execution if a user were to visit a specially crafted website or open a specially crafted document. There are two memory corruption vulnerabilities (CVE-2016-7272, CVE-2016-7273) as well as one information disclosure vulnerability (CVE-2016-7257). The vulnerabilities affect Windows Vista, 7, 8.1, 10, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, and Server 2016.
MS16-147 addresses a single remote code execution vulnerability (CVE-2016-7274) in Windows Uniscribe. This vulnerability can be triggered by visiting a specially crafted website or opening a specially crafted document. This vulnerability results from the way Windows Uniscribe handles objects in memory. This vulnerability affects all currently supported versions of Windows.
MS16-148 is the Microsoft Office bulletin for this month. It addresses a total of 16 vulnerabilities, including various memory corruption (CVE-2016-7263, CVE-2016-7277, CVE-2016-7289, CVE-2016-7298), information disclosure (CVE-2016-7257, CVE-2016-7264, CVE-2016-7265, CVE-2016-7268, CVE-2016-7276, CVE-2016-7290, CVE-2016-7291), security feature bypasses (CVE-2016-7262, CVE-2016-7266, CVE-2016-7267), privilege escalation (CVE-2016-7300), and a single OLE DLL side loading vulnerability (CVE-2016-7275). The most severe of these vulnerabilities could result in remote code execution if a user were to open a specially crafted Office document. Both Windows and Mac versions of Office are affected. This includes Office 2007, 2010, 2013, 2016, and Office for Mac 2011 and 2016. Additionally, Office services on Microsoft Sharepoint Server 2007 and 2010 as well as Office Web Apps 2010 are impacted.
MS16-154 is the Adobe Flash Player bulletin for this month. It addresses a total of 15 vulnerabilities that can result in remote code execution. The most severe of these vulnerabilities could result in remote code execution if a user visits a specially crafted website. This impacts all supported versions of Windows that are running Adobe Flash Player. The only alternate mitigation is to prevent flash player from running in Internet Explorer and Microsoft Office. This can be done locally as well as through Group Policy.
Bulletins Rated Important Microsoft bulletins MS16-149 through MS16-153 and MS16-155 are rated important.
MS16-149 addresses two vulnerabilities, an information disclosure vulnerability in the Windows Crypto Driver (CVE-2016-7219) and a privilege escalation vulnerability in the Windows Installer (CVE-2016-7292). The most severe of these vulnerabilities could result in escalated privileges if a local attacker were to execute a specifically crafted application. These vulnerabilities impact both client and server versions of Windows including Vista, 7, 8.1, 10, Server 2008, Server 2012, and Server 2016.
MS16-150 addresses a single privilege escalation vulnerability in Windows Secure Kernel Mode (CVE-2016-7271). The most severe of these vulnerabilities could result in privilege escalation if an attacker executes a specially crafted application. The attack, if successful, could also violate virtual trust levels. The vulnerability affects Windows 10 and Windows Server 2016.
MS16-151 addresses two privilege escalation vulnerabilities in Windows Kernel-Mode Driver (CVE-2016-7259, CVE-2016-7260). The most severe of these vulnerabilities could result in privilege escalation if an attacker executes a specially crafted application. The vulnerability affects all currently supported versions of Windows.
MS16-152 addresses a single information disclosure vulnerability in the Windows Kernel (CVE-2016-7258). This vulnerability could result in information disclosure when the Windows Kernel improperly handles specific objects in memory. This vulnerability affects Windows 10 and Server 2016.
MS16-153 addresses a single information disclosure vulnerability in the Windows Common Log File System Driver (CVE-2016-7295). This vulnerability could result in information disclosure when the Windows Kernel improperly handles specific objects in memory and could be triggered by an attacker running a specially crafted application. This vulnerability affects all currently supported versions of Windows.
MS16-155 addresses a single information disclosure vulnerability in .NET Framework (CVE-2016-7270). This vulnerability specifically impacts .NET 4.6.2 and could result in disclosure of information that should be protected by various cryptographic protections. This vulnerability impacts most currently supported versions of Windows.
Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
Snort SIDs: 40647-40648, 40936-40990, 40992-40993