• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Network   »   The November 2016 Security Update Review

The November 2016 Security Update Review

  • Posted on:November 8, 2016
  • Posted in:Network, Security, Vulnerabilities & Exploits, Zero Day Initiative
  • Posted by:
    Dustin Childs (Zero Day Initiative Communications)
0

Take a break from setting up your latest mannequin challenge, cast aside that ballot and join us in taking a look at the security patches released by Adobe and Microsoft for the month of November, 2016.

Adobe Patches for November 2016

Adobe released two updates this month. The more critical of the two patches addresses nine CVEs in the Flash player. This comes just two weeks after Adobe issued an emergency Flash update to fix an issue currently being exploited. We’ll see this exploit later in a Windows update, too. Today’s Flash update is not being exploited in the wild, but does address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. All nine of the issues covered in today’s Flash update were reported through the ZDI program.

Adobe’s other bulletin for November resolves an input validation vulnerability in the events registration module within Adobe Connect for Windows. This lone CVE is not listed as being under active attack, but could be used for cross-site scripting exploits.

Microsoft Patches for November 2016

Those hoping for a light update from Microsoft will be disappointed, as the folks in Redmond gifted us 14 bulletins addressing 77 CVEs in Internet Explorer, Edge, Windows, SQL Server and Office. Six of these bulletins are rated critical, with the other eight rated as important.

Two different CVEs patched this month were reported to be under active attack.

  1. CVE-2016-7255 – MS16-135 (Kernel-mode Drivers) The previously mentioned Flash bug was combined with this kernel elevation of privilege for active attacks – primarily in phishing. Microsoft blames the “Pawn Storm/Strontium/APT28/Fancy Bear” group for being behind these attacks but did not share any data on why they drew this conclusion. Microsoft also expressed their displeasure on how the bug was disclosed publicly less than two weeks prior to the patch being made available. It should also be noted that Windows 10 isn’t impacted here, but Windows 7 users are affected. According to the bulletin, “Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.”
  2. CVE-2016-7256 – MS16-132 (Graphics Components) This vulnerability in the embedded font driver does affect all supported versions of Windows and could allow remote code execution. This code execution would occur at the logged-on user level, which is another reminder that you should be logging on with a non-admin account for daily activities. To be affected, a user would have to browse to a website or open a malicious file.

If you have to prioritize your testing, focusing on the bulletins addressing the active attacks plus MS16-129 and MS16 142 seems a good place to start. Both browsers – Edge and Internet Explorer – have multiple Critical-rated issues. It’s interesting to see many of the CVEs patched in Edge receive an Exploit Index (XI) ratings of 1. This is Microsoft’s rating indicating exploitation is more likely for these issues. While generally considered more secure than IE, it appears exploit hunters are finding issues within Edge now too.

Other Critical bugs patched this month include updates for Windows file viewing, video control, and graphics components. In addition to the Office and SQL updates, there’s also an update for the Windows Common Log File System (CLFS). While only a local EoP, it’s a component not often updated. Important updates also exist for the Windows kernel and the virtual hard disk driver.

The final two Important bulletins warrant a little extra attention. MS16-137 addresses issues in Windows authentication methods. According to the bulletin, the patch updates Windows NTLM to harden the password change cache, changes the way LSASS handles specially crafted requests, and corrects how Windows Virtual Secure Mode handles objects in memory. This sounds like fixes that could potentially help prevent “Pass the Hash” style attacks, which would be fantastic if true. It could also just be a logic bug in LSASS. Hopefully Microsoft will eventually provide more information about this fix.

Finally, MS16-140 addresses a scenario that requires an attacker to be physically present at the target system. Attacks requiring physical access rarely get patched, so it’s good to see Microsoft address one here. The fix is unusual though and will look different for different people. The fix revokes affected boot policies in the firmware, and the revocation protection level depends upon platform firmware. We’ll need to watch this update closely to determine if any quality issues leak out.

Microsoft released its version of the aforementioned Flash update to round out this month’s bevy of updates. No new Microsoft advisories were released this month. 

Looking Ahead 

While expected, this month’s release officially makes 2016 the busiest year for Microsoft updates. A mere 135 bulletins were released in 2015 as compared to the 142 already released through November of this year. It will be interesting to see if Microsoft – and other vendors patching at record levels – can maintain this level of output.

The next patch Tuesday falls on December 13, and we’ll be back with more details then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!

Related posts:

  1. ZDI Update: Microsoft and Adobe Patch Tuesday for May 2016 and Microsoft Closes Pwn2Own 2016 Vulnerabilities
  2. The December 2016 Security Update Review
  3. The January 2017 Security Update Review
  4. The March 2017 Security Update Review

Security Intelligence Blog

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • How To Be An Informed Skeptic About Security Predictions
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Worries CISOs Most In 2019

Follow Us

Trend Micro In The News

  • Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy
  • Trend Micro Partners with Snyk to Fix Vulnerabilities for DevOps
  • Trend Micro Partners With Snyk To Advance DevSecOps
  • Hackers to stress-test Facebook Portal at hacking contest
  • NEW TECH: Trend Micro inserts 'X' factor into 'EDR' - endpoint detection response
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.