For Patch Tuesday November 2015, Microsoft released 12 security bulletins, four rated as critical and the remaining 8 rated as important.
MS15-112 is the cumulative fix for remote code execution flaws in Internet Explorer. Microsoft lists 25 CVEs, most of which are IE memory corruption vulnerabilities. 19 are called Internet Explorer memory corruption vulnerabilities, with three CVEs labeled slightly different as Microsoft browser memory corruption vulnerabilities. Of the remaining CVEs, one involves Microsoft browser ASLR bypass, one is for an IE information disclosure flaw, and one is a scripting engine memory corruption vulnerability. You should deploy this as soon as possible.
MS15-113 is the cumulative security update for Microsoft’s newest Edge browser, patching four different vulnerabilities, the most severe could allow remote code execution. Microsoft noted that this new patch for Windows 10 32-bit and 64-bit systems replaces MS15-107, the cumulative security update for Edge issued in October.
MS15-114 resolves a vulnerability in Windows, specifically Windows Journal, that could allow remote code execution. This patch is rated critical for all supported editions of Windows Vista and Windows 7, and for all supported non-Itanium editions of Windows Server 2008 and Windows Server 2008 R2.
MS15-115 addresses holes in Microsoft Windows; the worst of which are two in Windows graphics memory that an attacker could exploit for remote code execution. Additionally, this patches two Windows kernel memory bugs that could lead to elevation of privilege, two more kernel bugs that could allow information disclosure and another flaw in Windows kernel that could allow security feature bypass.
It’s not the “usual bevy of remote code execution exploits in the browsers” that concerns Bobby Kuzma, CISSP, systems engineer at Core Security. He said, “The ones that I’m most concerned with are all the elevation of privilege vulnerabilities: in NDIS (MS15-117), .NET itself (MS15-118), and Winsock (MS15-119).”
“With regard to MS15-115… What genius decided that FONT HANDLING belonged in the most sensitive parts of the operating system kernel? I know that fonts make things prettier, but allowing untrusted fonts into an environment is bordering on negligence, especially since this is FAR from the first, or the 10th time we’ve had a related vulnerability.”
Although MS15-116 is rated by Microsoft as “important,” Qualys CTO Wolfgang Kandek suggested it should be next on your list as it addresses seven flaws in Microsoft Office. “Five of the vulnerabilities can be used to gain control over the account of the user that opens the malicious document, they provide RCE. This is enough control over the machine for a number of attacks, such as Ransomware for example. However the attacker can pair it with a local vulnerability in the Windows kernel to get a full compromise of the machine, allowing for complete control and the installation of multiple backdoors.”
MS15-117 provides the fix for a flaw in Microsoft Windows NDIS; it’s meant to stop an attacker from exploiting the bug and gaining elevation of privilege.
MS15-118 resolves three vulnerabilities in Microsoft .NET framework. Kandek noted that one allows an attacker “to execute code as the user browsing the website (Cross Site Scripting). These vulnerabilities can often be used to steal the user’s session information and impersonate the user; depending on the application, this can be quite significant.”
MS15-119 addresses a hole in Winsock across all supported versions of Windows. Microsoft added, “The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs specially crafted code that is designed to exploit the vulnerability.”
MS15-120 resolves a denial of service vulnerability in Windows IPSEC.
MS15-121 fixes a flaw in Windows Schannel that “could allow spoofing if an attacker performs a man-in-the-middle (MiTM) attack between a client and a legitimate server. This security update is rated Important for all supported releases of Microsoft Windows excluding Windows 10.”
MS15-122 patches Kerberos to resolves a security feature bypass. Microsoft noted, “An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.”