Take a break from setting up your latest mannequin challenge, cast aside that ballot and join us in taking a look at the security patches released by Adobe and Microsoft for the month of November, 2016.
Adobe Patches for November 2016
Adobe released two updates this month. The more critical of the two patches addresses nine CVEs in the Flash player. This comes just two weeks after Adobe issued an emergency Flash update to fix an issue currently being exploited. We’ll see this exploit later in a Windows update, too. Today’s Flash update is not being exploited in the wild, but does address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. All nine of the issues covered in today’s Flash update were reported through the ZDI program.
Adobe’s other bulletin for November resolves an input validation vulnerability in the events registration module within Adobe Connect for Windows. This lone CVE is not listed as being under active attack, but could be used for cross-site scripting exploits.
Microsoft Patches for November 2016
Those hoping for a light update from Microsoft will be disappointed, as the folks in Redmond gifted us 14 bulletins addressing 77 CVEs in Internet Explorer, Edge, Windows, SQL Server and Office. Six of these bulletins are rated critical, with the other eight rated as important.
Two different CVEs patched this month were reported to be under active attack.
If you have to prioritize your testing, focusing on the bulletins addressing the active attacks plus MS16-129 and MS16 142 seems a good place to start. Both browsers – Edge and Internet Explorer – have multiple Critical-rated issues. It’s interesting to see many of the CVEs patched in Edge receive an Exploit Index (XI) ratings of 1. This is Microsoft’s rating indicating exploitation is more likely for these issues. While generally considered more secure than IE, it appears exploit hunters are finding issues within Edge now too.
Other Critical bugs patched this month include updates for Windows file viewing, video control, and graphics components. In addition to the Office and SQL updates, there’s also an update for the Windows Common Log File System (CLFS). While only a local EoP, it’s a component not often updated. Important updates also exist for the Windows kernel and the virtual hard disk driver.
The final two Important bulletins warrant a little extra attention. MS16-137 addresses issues in Windows authentication methods. According to the bulletin, the patch updates Windows NTLM to harden the password change cache, changes the way LSASS handles specially crafted requests, and corrects how Windows Virtual Secure Mode handles objects in memory. This sounds like fixes that could potentially help prevent “Pass the Hash” style attacks, which would be fantastic if true. It could also just be a logic bug in LSASS. Hopefully Microsoft will eventually provide more information about this fix.
Finally, MS16-140 addresses a scenario that requires an attacker to be physically present at the target system. Attacks requiring physical access rarely get patched, so it’s good to see Microsoft address one here. The fix is unusual though and will look different for different people. The fix revokes affected boot policies in the firmware, and the revocation protection level depends upon platform firmware. We’ll need to watch this update closely to determine if any quality issues leak out.
Microsoft released its version of the aforementioned Flash update to round out this month’s bevy of updates. No new Microsoft advisories were released this month.
While expected, this month’s release officially makes 2016 the busiest year for Microsoft updates. A mere 135 bulletins were released in 2015 as compared to the 142 already released through November of this year. It will be interesting to see if Microsoft – and other vendors patching at record levels – can maintain this level of output.
The next patch Tuesday falls on December 13, and we’ll be back with more details then. Follow us on Twitter to see the latest and greatest coming from the ZDI program. Until then, happy patching and may all your reboots be smooth and clean!