• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Vulnerabilities & Exploits   »   The December 2016 Security Update Review

The December 2016 Security Update Review

  • Posted on:December 13, 2016
  • Posted in:Vulnerabilities & Exploits, Zero Day Initiative
  • Posted by:
    Dustin Childs (Zero Day Initiative Communications)
0

Put down the eggnog, back away from your holiday shopping and tree trimming, and join us in taking a look at the security patches released by Adobe and Microsoft for the month of December, 2016.

Adobe Patches for December 2016

For this month, Adobe released nine security patches addressing issues in Flash, Robohelp, ColdFusion Builder, InDesign, DNG Converter, Adobe Digital Editions, Animator, Experience Manager and Experience Manager Forms. Obviously, most people will focus on the 17 CVEs fixed by the update for Flash. Adobe reports CVE-2016-7892 – fixed by this patch – has been seen in the wild and is being targeted against users running Internet Explorer (32-bit) on Windows. This is the only Adobe bulletin this month listed as Priority 1 – Adobe’s highest rating. We should also note nine of the 17 CVEs addressed in the Flash came through the ZDI program. One of the CVEs from the Digital Editions updates also came through ZDI.

Interestingly, Adobe has not released an update to Acrobat since October. Taking a peak at ZDI’s upcoming advisories, it probably indicates they are working on a large update in the coming months.

Microsoft Patches for December 2016

This holiday season, the folks in Redmond released 11 new bulletins addressing 47 unique CVEs in Internet Explorer, Edge, Windows, Office, and .NET Framework. Five of these bulletins are rated Critical with the other six rated as Important. None are listed as being under active attack although a few of the CVEs are public. Microsoft also included their bulletin for Adobe Flash, bringing the grand total of bulletins released this year to a record-setting 155. This record will likely stand forever, as Microsoft announced their Security Updates Guide will be replacing security bulletins as of February 2017. Time will tell if this move makes it easier or harder for administrators to get needed information regarding security updates. Regardless, it continues Microsoft’s trend of removing or obscuring information about its security patches. Hopefully that trend impacts the attackers more than the system maintainers.

If you have to prioritize your testing, focus on the browsers – Edge and Internet Explorer – and the Office update. These applications have a wide user base and are routinely targeted. As with last month, many of the CVEs patched in Edge and IE received an Exploit Index (XI) rating of 1 for both browsers. This is Microsoft’s rating indicating exploitation is more likely for these issues. Although Microsoft touts many of the security enhancements in Edge, some shared code clearly remains.

Other Critical bugs patched this month include a patch for the Office suite. This is unusual as most Office patches are listed as Important due to users needing to click through dialog boxes to open malicious files. Perhaps CVE-2016-7298 – the lone Critical CVE – manages to evade these dialog boxes.

The update for GDI is also listed as Critical. Graphics bugs are always troubling as simply viewing an image can trigger the vulnerability. Essentially, that makes every website that shows ads a potential host for a malicious ad exploiting the bug. Think about that for a second. The final Critical update for December addresses a bug in Windows Uniscribe. Similar to GDI, visiting a malicious webpage – or viewing a malicious ad on a legitimate webpage – can trigger the vulnerability.

Of the remaining Important bulletins, the ones for Secure Kernel Mode and the Windows Installer both stand out as interesting. For the Secure Kernel Mode issue, attackers could use this to violate virtual trust levels (VTL) and escalate privileges on a system. The Installer bug is also a local elevation of privilege (EoP). It’s not hard to imagine attackers attaching this bug when installing otherwise legitimate software to gain access to a system. This could be a highly impactful bug, especially since Microsoft lists it with an XI of 1. The bulletin for Kernel-Mode Drivers also results in an EoP, but rate lower on the XI scale.

The updates for Kernel, CLFS driver, and .NET Framework are all listed as Information Disclosure, but that doesn’t mean they should be ignored. Gaining information disclosed through these types of bugs is often the first step of an exploit chain.

Finally, Microsoft released its version of the aforementioned Flash update to complete their crop of updates for December. No new advisories were released this month. 

Mobile Updates 

We would be remiss if we did not mention the updates for iOS and Android recently released. The 10.2 update for iOS addresses 12 documented CVEs, including a nifty trick to access photos and contacts on a locked iPhone. The folks from Google released updates to Android on both December 1st and 5th. The combined patches address 69 total CVEs – 11 of which are marked Critical. Most notably, the patches fix the “Dirty Cow” vulnerability as well as two bugs – CVE-2016-5196 and CVE-2016-5197—disclosed through our recent Mobile Pwn2Own competition. 

Looking Ahead 

The next patch Tuesday falls on January 10, and we’ll be back with more details then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, Merry Chrismahanukwanzakah, happy patching and may all your reboots be smooth and clean!

Related posts:

  1. TippingPoint Threat Intelligence and Zero-Day Coverage – Week of December 12, 2016
  2. The November 2016 Security Update Review
  3. The January 2017 Security Update Review
  4. The March 2017 Security Update Review

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Cloud-based Email Threats Capitalized on Chaos of COVID-19
  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.