With 2016 almost reaching its departure, Microsoft released their one last ‘Patch Tuesday‘ update for the year. This update has by far the highest number of security updates released in a single patch. It features six critical patches, with the remaining six rated as important. It covered 34 individual flaws, all of which if exploited could lead to Remote Code Execution. So get ready for restarts. It is favorable to not delay the deployment of these patches. Since three of them, address vulnerabilities which have been publicly disclosed.
The critical flaws are explained in bulletins MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, and MS16-154. They are said to overcome susceptibilities in Windows, Internet Explorer, Edge, and Office. More specifically, the glitch Windows 10 users were facing while connecting to the internet after the last wave of patches released by Microsoft.
MS16-144 is released to address a plethora of bugs in Internet Explorer. It also fixes a couple of glitches which tend to cause information leaks and one that could lead to a breach of information in Windows hyperlink object library. This patch will be included in the December monthly security update for Windows.
Here are the publicly disclosed flaws
- CVE-2016-7282 – a Microsoft browser information disclosure vulnerability.
- CVE-2016-7281 – the Microsoft browser security feature bypass bug.
- A CVE-2016-7202 – a scripting engine memory corruption anomaly.
This update has been rated “Patch Now”, mainly because of the severity of the issue it is designated to fix. MS16-144 will be applied to all currently supported versions of IE.
MS16-145 overhauls several of the reported bugs in Microsoft’s ‘new and improved’ Edge browser. The number of reported glitches are surprisingly even more than Internet Explorer, that is censured with 11 flaws. MS16-145 solves these critical issues.
- Five of the usual scripting engine flaws.
- Two of the memory corruption bug.
- A security feature bypass.
MS16-146 tends to patch critical Remote Code Execution vulnerabilities in the Microsoft Graphics Component of Windows. Moreover, it fixes the Windows GDI information disclosure flaw. All these vulnerabilities are privately reported. The patch is to replace last month’s graphic component update for all Windows 10 and Server 2016 systems.
It is also the second patch for Windows Security Only or “roll-up” update for this month.
MS16-147 is released to solely address a persisting liability in Windows Uniscribe. The bug is said to set-off a Remote Code Execution scenario. That is if users visit a specially crafted website or open a specially crafted document. It is certainly something we don’t see every month.
For those who don’t know, the Uniscribe component is a collection of API’s, which are meant to handle typography in Windows for different languages.
The MS16-148 is released to address a galore of Remote Code Execution vulnerabilities. The 16 privately inscribed flaws persist in Microsoft Office. The severity of the glitches can be determined by the fact that if left unpatched, they could lead to a Remote Code Execution scenario on the target system. Here’s the list of glitches:
- Four memory corruption bugs.
- An Office OLE DLL side-loading problem.
- A bug that discloses critical GDI information along with several others.
The MS16-154 patch is a wrapper and remediates crucial flaws in the embedded Adobe Flash Player. This is potentially the most dangerous issue if left unpatched. It is said to fix 17 problems including one flaw that is currently running in the wild. Microsoft has surprisingly suggested a mitigating factor for this issue. It is astonishing because the company usually never does that. The workaround is to Uninstall Flash completely.
Reports regarding a zero-day vulnerability have been received, which managed to compromise 32-bit Internet Explorer systems. So, this is a critical “Patch Now” update.
- Four buffer overflow bugs.
- Five memory corruption issues that could potentially cause Remote Code Execution.
The patch is released to resolve two privately reported issues in Windows.
- A Windows crypto information disclosure flaw, that involves object handling in memory.
- A bug that leads to elevation of privilege in Windows cryptography component.
MS16-149 will be added to this month’s security roll-up.
This is a security update for a sole vulnerability, reported privately. MS16-150 regards to Windows Kernel’s persisting issue that could compromise user privileges. It is mainly caused by mishandling objects in memory.
MS16-151 attempts to overhaul a couple of minor bugs. Each privately reported and are estimated to cause minimal harm. One is related to the Win32k EoP flaw in Windows Kernel mode drivers. The other issue it addresses is the Windows graphics component, mishandling objects in memory.
MS16-152 is a security patch for Windows Kernel and aims to address a sole liability. It is a privately reported vulnerability in Windows Kernel that only affects Windows 10 and Server 2016 systems. The bug is known to cause information disclosure, at worst. This patch will be bundled with the Windows monthly roll-up.
This patch resolves a single information disclosure glitch, also privately stated. The bug persists in a Windows driver sub-system, triggered by updating the Common Log File System (CLFS).
MS16-155 repairs a .NET framework liability. Microsoft noted that the bug is publicly disclosed but is not being exploited. It is potentially a lower risk vulnerability and has its own update package. Therefore, it has been spared from inclusion in the Windows quality and security roll-ups.
That is enough you need to know about each security update of this year’s final Patch Tuesday. So until next year, Happy Patching.
Related Stories you should read:
- Windows 10 June Security Patch contains huge fixes for IE, Edge, Flash Player and Windows OS
- Windows 10 Mobile cumulative update fixes some known issues, and improves overall performance
- Google-publicised security flaw patched by Microsoft
- Windows 7 KB3205394 patches major security vulnerabilities, install it now