Microsoft released its December 2015 Patch Tuesday fixes today, with a total of 12 bulletins -- eight of which...
were rated as critical and 10 of which could result in remote code execution, if exploited.
MS15-127 is a critical patch for a flaw that could allow remote code execution (RCE) if an attacker sends specially crafted requests to a domain name system (DNS) server. It should be put on the top of the priority list for any organization that runs DNS servers on Windows, according to Bobby Kuzma, CISSP and systems engineer for Boston-based Core Security, who rated this as the most important patch.
"Microsoft has really given us a doozy of a Christmas present, with the ability for attackers to work a remote code execution with a DNS query," Kuzma said. "If your organization runs public-facing DNS servers on Windows, you've got a problem. If you've got internal DNS servers running Windows, then you've got an easy escalation path for attackers who are able to phish end users."
Tyler Reguly, manager of security research at Tripwire Inc., based in Portland, Ore., also rated this as the most important bulletin, because it is a "true remote code execution vulnerability."
"When we say that MS15-127 is a remote code execution issue, we don't mean that it's a local issue or that it requires user interaction. Instead, we mean that remote users without credentials can potentially execute code on your system," Reguly said. "This is the true definition of a critical vulnerability and should be placed at the top of today's patching queue for environments using Microsoft DNS."
MS15-135 is a bulletin for a vulnerability in the Windows kernel that is not rated critical by Microsoft, but it is rated as one of the more important patches by Wolfgang Kandek, CTO of Qualys Inc., based in Redwood City, Calif.
Microsoft said the vulnerabilities, which are present in all supported versions of Windows, could allow elevation of privilege if an attacker logs on to a target system and runs a specially crafted application. However, Kandek noted that this is a zero-day flaw.
"There is no further information about how widely spread the vulnerability and its exploit are," Kandek wrote in a blog post, "but it is worth a top spot in our priority list."
MS115-131 covers a number of vulnerabilities in Microsoft Office -- the most severe of which could allow remote code execution if a user opens a specially crafted Microsoft Office file, which would then allow an attacker to run arbitrary code in the context of the current user.
Kandek noted that it is rare for Office bulletins to be rated critical, and this bulletin should be prioritized because it contains another zero-day flaw.
"[This] means that a vector exists to abuse the vulnerability with no user interaction," Kandek wrote. "CVE-2015-6172 is a critical vulnerability in Outlook that is triggered by a maliciously formatted email message. There is no reasonable workaround: Microsoft suggests turning off the preview pane -- the digital equivalent of 'Just don't do it,' so patch this vulnerability as soon as possible. CVE-2015-6124 is being exploited in the wild by attackers."
MS15-128 is a critical bulletin for RCE vulnerabilities in the Microsoft Graphics Component, and it affects Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync and Silverlight. The vulnerabilities could be exploited if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.
MS15-129 takes on critical vulnerabilities in Microsoft Silverlight -- the most severe of which could allow remote code execution if Microsoft Silverlight incorrectly handles certain open and close requests, which could result in read and write access violations.
Craig Young, security researcher at Tripwire, noted that these bulletins are a reminder of the wide attack surface exposed by Silverlight.
"With malvertising on the rise, even reputable sites cannot always be assumed free from malicious content, so patching these holes should be very high priority, along with the [Internet Explorer] and Edge bulletins," Young said. "Some administrators may wish to go a step further and consider the use of ad-blocking technology on corporate workstations."
MS15-124 and MS15-125 are those aforementioned bulletins for vulnerabilities in Internet Explorer (IE) and Microsoft Edge. There are 30 total vulnerabilities patched in IE, 23 of which are rated critical and could result in RCE. And Microsoft Edge has 15 issues, 10 of which are rated critical.
MS15-126 covers vulnerabilities in the VBScript scripting engine in Microsoft Windows. The most severe of these vulnerabilities could allow RCE if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer, or by using an embeded ActiveX control marked "safe for initialization" in an application or Microsoft Office document that uses the Internet Explorer rendering engine.
The final critical bulletin for this Patch Tuesday is MS15-130, which targets a vulnerability in Microsoft Uniscribe in Windows. This vulnerability could allow RCE if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts.
Kuzma noted last month that "allowing untrusted fonts into an environment is bordering on negligence," and he was similarly perturbed to see both MS15-130 and MS15-128 dealing with more critical font-handling vulnerabilities.
"If you love your users, block fonts at the firewall. Please," Kuzma urged.
Rounding out the rest of the bulletins are MS15-132, MS15-133 and MS15-134, which address vulnerabilities in Windows, Windows PGM and Windows Media Center, respectively. None are rated as critical, but could allow for RCE or escalation of privilege, if exploited.
Catch up on the November 2015 Patch Tuesday news here.