Put down the eggnog, back away from your holiday shopping and tree trimming, and join us in taking a look at the security patches released by Adobe and Microsoft for the month of December, 2016.
Adobe Patches for December 2016
For this month, Adobe released nine security patches addressing issues in Flash, Robohelp, ColdFusion Builder, InDesign, DNG Converter, Adobe Digital Editions, Animator, Experience Manager and Experience Manager Forms. Obviously, most people will focus on the 17 CVEs fixed by the update for Flash. Adobe reports CVE-2016-7892 – fixed by this patch – has been seen in the wild and is being targeted against users running Internet Explorer (32-bit) on Windows. This is the only Adobe bulletin this month listed as Priority 1 – Adobe’s highest rating. We should also note nine of the 17 CVEs addressed in the Flash came through the ZDI program. One of the CVEs from the Digital Editions updates also came through ZDI.
Microsoft Patches for December 2016
This holiday season, the folks in Redmond released 11 new bulletins addressing 47 unique CVEs in Internet Explorer, Edge, Windows, Office, and .NET Framework. Five of these bulletins are rated Critical with the other six rated as Important. None are listed as being under active attack although a few of the CVEs are public. Microsoft also included their bulletin for Adobe Flash, bringing the grand total of bulletins released this year to a record-setting 155. This record will likely stand forever, as Microsoft announced their Security Updates Guide will be replacing security bulletins as of February 2017. Time will tell if this move makes it easier or harder for administrators to get needed information regarding security updates. Regardless, it continues Microsoft’s trend of removing or obscuring information about its security patches. Hopefully that trend impacts the attackers more than the system maintainers.
If you have to prioritize your testing, focus on the browsers – Edge and Internet Explorer – and the Office update. These applications have a wide user base and are routinely targeted. As with last month, many of the CVEs patched in Edge and IE received an Exploit Index (XI) rating of 1 for both browsers. This is Microsoft’s rating indicating exploitation is more likely for these issues. Although Microsoft touts many of the security enhancements in Edge, some shared code clearly remains.
Other Critical bugs patched this month include a patch for the Office suite. This is unusual as most Office patches are listed as Important due to users needing to click through dialog boxes to open malicious files. Perhaps CVE-2016-7298 – the lone Critical CVE – manages to evade these dialog boxes.
The update for GDI is also listed as Critical. Graphics bugs are always troubling as simply viewing an image can trigger the vulnerability. Essentially, that makes every website that shows ads a potential host for a malicious ad exploiting the bug. Think about that for a second. The final Critical update for December addresses a bug in Windows Uniscribe. Similar to GDI, visiting a malicious webpage – or viewing a malicious ad on a legitimate webpage – can trigger the vulnerability.
Of the remaining Important bulletins, the ones for Secure Kernel Mode and the Windows Installer both stand out as interesting. For the Secure Kernel Mode issue, attackers could use this to violate virtual trust levels (VTL) and escalate privileges on a system. The Installer bug is also a local elevation of privilege (EoP). It’s not hard to imagine attackers attaching this bug when installing otherwise legitimate software to gain access to a system. This could be a highly impactful bug, especially since Microsoft lists it with an XI of 1. The bulletin for Kernel-Mode Drivers also results in an EoP, but rate lower on the XI scale.
The updates for Kernel, CLFS driver, and .NET Framework are all listed as Information Disclosure, but that doesn’t mean they should be ignored. Gaining information disclosed through these types of bugs is often the first step of an exploit chain.
Finally, Microsoft released its version of the aforementioned Flash update to complete their crop of updates for December. No new advisories were released this month.
We would be remiss if we did not mention the updates for iOS and Android recently released. The 10.2 update for iOS addresses 12 documented CVEs, including a nifty trick to access photos and contacts on a locked iPhone. The folks from Google released updates to Android on both December 1st and 5th. The combined patches address 69 total CVEs – 11 of which are marked Critical. Most notably, the patches fix the “Dirty Cow” vulnerability as well as two bugs – CVE-2016-5196 and CVE-2016-5197—disclosed through our recent Mobile Pwn2Own competition.
The next patch Tuesday falls on January 10, and we’ll be back with more details then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, Merry Chrismahanukwanzakah, happy patching and may all your reboots be smooth and clean!