vege - Fotolia

November 2015 Patch Tuesday: Font handling strikes again

Microsoft's November 2015 Patch Tuesday delivers 12 total bulletins, four of which are critical, and one issue with font handling that angers one expert.

Microsoft released its November 2015 Patch Tuesday fixes today, which include 12 total bulletins, four of which are rated as critical by Microsoft.

Experts said that bulletin MS15-115 should be at the top of the priority list for enterprises. This bulletin contains seven patches for vulnerabilities in Microsoft Windows, the most severe of which could lead to remote code execution (RCE). The two critical vulnerabilities are caused when Windows improperly handles specially crafted embedded fonts in the Adobe Type Manager Library. This makes the vulnerabilities remotely exploitable through specially crafted Web sites and emails.

Bobby Kuzma, CISSP and systems engineer for Core Security, said it is unacceptable that font handling errors should lead to such severe vulnerabilities.

"What genius decided that font handling belonged in the most sensitive parts of the operating system kernel?" Kuzma asked. "I know that fonts make things prettier, but allowing untrusted fonts into an environment is bordering on negligence, especially since this is far from the first, or the 10th time we've had a related vulnerability."

This is, in fact, Microsoft's eighth font handling vulnerability this year; seven of them have been critical.

Security researcher Craig Young and manager of security research Tyler Reguly, both from Tripwire, suggest that MS15-121 should be high on enterprise priority lists despite the bulletin being rated important and not critical.

The bulletin includes a security update for a Microsoft Secure Channel (Schannel) vulnerability in Windows that could lead to spoofing exploits and man-in-the-middle attacks.

Young called this an important step towards hardening secure connections established through Microsoft's Schannel library.

"While Microsoft has rated this patch as important, systems administrators using client based certificate authentication should treat this update as high priority for both clients and servers because the described attack can allow a malicious server to inject data into the beginning of a session and potentially interact with a site in defiance of the same-origin policy," Young said. "Additionally, variations of this attack can enable attackers to impersonate clients on other protocols that use TLS-based authentication. This makes this patch a key priority for VPN servers utilizing PEAP, and Active Directory deployments with SASL [Simple Authentication and Security Layer] bindings are also likely to need attention."

MS15-112 and MS15-113 are the bulletins for patches to Microsoft's Internet Explorer and Edge browsers, respectively. The bulletin for IE includes 25 fixes, 23 of which are rated critical and could lead to RCE, while the bulletin for Edge includes four fixes, three of which are critical and could lead to RCE.

The last critical bulletin of the month, MS15-114, addresses a vulnerability in Windows that could be exploited if a user opens a specially crafted Windows Journal file and could lead to RCE. This flaw affects all supported versions of Windows.

MS15-116 addresses seven important vulnerabilities in Microsoft Office, five of which could allow remote code execution if a user opens a specially crafted Office file and the affected user profile has sufficient rights.

MS15-117, MS15-118, MS15-119 are all important bulletins that could lead to elevation of privilege through vulnerabilities in Windows NDIS, the .NET Framework, or Winsock, respectively.

MS15-122 details an important vulnerability that could allow an attacker to bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker. However, Microsoft notes that the bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer.

MS15-120 includes a fix for a vulnerability in IPSec that resolves a denial of service vulnerability, and MS15-123 is a security update for Skype for Business and Microsoft Lync to fix a flaw that could allow information disclosure if an attacker invites a target user to an instant message session and then sends that user a message containing specially crafted JavaScript content.

Next Steps

Catch up on the October 2015 Patch Tuesday news here.

Find out what the Windows 10 update process will look like.

Learn how to evaluate patch management products for the enterprise.

Dig Deeper on Microsoft Patch Tuesday and patch management