Microsoft's last Patch Tuesday of 2016 featured six critical updates, 12 overall, covering 34 individual flaws all of which, if exploited, could lead to remote code execution.
The critical flaws are explained in bulletins MS16-144, MS16-145, MS16-146, MS16-147, MS16-148 and MS16-154, which covered vulnerabilities in Windows, Internet Explorer, Edge and Office. There are also six other bulletins rated as important.
MS16-154 is potentially the most dangerous issue if left unpatched refers to today's Adobe Flash Player update that fixes 17 problems including one flaw that is currently in the wild.
As the year comes to a close, Tyler Reguly, Tripwire's manager of security research, noted that Microsoft was quite busy during 2016.
“As we wrap up what is, hopefully, the final Microsoft patch drop of the year, the numbers are quite impressive -- 155 bulletins (a 15% increase over last year's record breaking year) and more than 500 CVEs. With numbers like these from a single vendor, it shouldn't come as a surprise that IT organizations dealing with multiple vendors are struggling to stay on top of the patching process,” he said to SC Media in an emailed statement.
Adam Novak, Rapid7's lead engineer, pointed out that the critical issues are mainly consumer facing making it imperative that these people pay attention and allow their systems to be updated.
“December continues a long running trend with Microsoft's products where the majority of bulletins (6) are dominated by remote code execution vulnerabilities, which predominantly affect consumer applications. However, consumers are not alone this month as server admins should pay attention to the following critical remote code execution bulletins: MS16-146 and MS16-147,” Novak told SC Media in an email.
Bobby Kuzma, systems engineer at Core Security, applauded the extra effort Microsoft put in this month to dig up MS16-146.
“GDI based remote execution vulns for the third month in a row? I have to applaud Microsoft… They're digging deep into the cesspit of legacy code in one of their oldest components inside of Windows and are really cleaning house. Pity that all of these vulns probably still exist in XP, Kuzma said.
MS16-144 for Windows and IE if left unpatched could a user who views a specially crafted webpage to have code remotely executed allowing the malicious actor to gain user rights and take control of the affected system. MS16-145 would allow the same problem to happen to those using Edge.
MS16-147 resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document, which would allow remote code execution.
MS16-148 would allow an attacker who successfully exploited the vulnerabilities to run arbitrary code in the context of the current user.
“Microsoft office bulletin MS16-148 is also critical as it's a remote code execution issue, and victims can be compromised without any user interaction due to the preview panel. This typically happens when the Outlook preview panel tries to render e-mail content after receiving a malicious mail. Another attack scenario involves user interaction when victims open malicious office attachments” said Amol Sarwate, Qualys's director of vulnerability labs, to SC Media via email.