icetray - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Dec. 2016 Patch Tuesday caps off a record-breaking year for Windows

Microsoft's Dec. 2016 Patch Tuesday was a fairly routine monthly entry in a year that ended up setting a new record for most Windows patch bulletins.

Microsoft released its Dec. 2016 Patch Tuesday fixes today, including 12 bulletins, six of which were rated critical. Experts noted the release was generally business as usual, but it did set a new record for most Windows security bulletins in one year.

Microsoft had surpassed the previous record for patch bulletins in a year (135) in the Nov. Patch Tuesday release; the 12 new bulletins this month bring the total to 155 Windows security bulletins for 2016.

Tyler Reguly, manager of security research at Tripwire, said numbers like this make it harder for enterprise to keep up.

"As we wrap up what is, hopefully, the final Microsoft patch drop of the year, the numbers are quite impressive -- 155 bulletins, a 15% increase over last year's record breaking year, and more than 500 CVEs," Reguly told SearchSecurity. "With numbers like these from a single vendor, it shouldn't come as a surprise that IT organizations dealing with multiple vendors are struggling to stay on top of the patching process."

On top of the priority list for patches are MS16-144 and MS16-145, the standard browser bulletins for Internet Explorer and Microsoft Edge, respectively, along with MS16-154, which remediates critical flaws in the embedded Adobe Flash Player.

The most severe vulnerabilities in each of these bulletins could allow remote code execution (RCE) if a user views a specially crafted webpage and the potential damage done by the attacker would depend on the rights of the user account compromised.

MS16-146 patches critical RCE vulnerabilities in the Microsoft Graphics Component of Windows and MS16-147 covers RCE flaws in the Uniscribe APIs, which allows for "a high degree of control for fine typography and for processing complex scripts," according to Microsoft.

Bobby Kuzma, system engineer for cybersecurity company Core Security, based in Roswell, Ga., said these patches appeared to be the fruit of deep digging by Microsoft's Project Springfield fuzzing technology.

"Uniscribe is an API for doing high precision typography layout with Unicode character sets, and is used for both languages that run right to left and top to bottom, and for layout of complex symbols and formulas. It's pretty arcane, even as weird Windows APIs go," Kuzma told SearchSecurity via email. "And a [Graphics Device Interface-based] remote execution vulnerability for the third month in a row? I have to applaud Microsoft. They're digging deep into the cesspit of legacy code in one of their oldest components inside of Windows and are really cleaning house. Pity that all of these vulns probably still exist in XP."

The final critical bulletin in the Dec. Patch Tuesday release is MS16-148, which resolves 16 vulnerabilities in Microsoft Office. The most severe, again, are critical RCE vulnerabilities, and Amol Sarwate, director of engineering at Qualys, said this needs to be a priority for enterprise.

"It's a remote code execution issue, and victims can be compromised without any user interaction due to the preview panel. This typically happens when the Outlook preview panel tries to render email content after receiving a malicious mail," Sarwate wrote in a blog post. "Another attack scenario involves user interaction when victims open malicious office attachments."

Of the remaining, "important" bulletins Kuzma recommended keeping a close eye on MS16-150, an elevation of privilege vulnerability in the Windows Secure Kernel Mode related to virtual trust levels.

"Virtual Trust Levels are an isolation and mitigation technology that is part of Microsoft's ongoing hypervisor and container virtualization strategies," Kuzma said. "Here we have a privilege escalation against that technology, which my spider sense is telling me warrants further exploration by researchers."

Kuzma also noted MS16-155, a patch for an information disclosure vulnerability in the .NET framework, as another that intrigued him.

"It's classified as an information disclosure vulnerability, that allows an attacker to leverage an improperly handled key to decrypt data accessed via the .NET Framework Data Provider for SQL Server," Kuzma said. "There's a lot of enterprise software built on top of this, and I'm getting a warm, Scotch-like feeling thinking of how useful that could be in the right (or wrong) hands."

Rounding out the Patch Tuesday bulletins are two elevation of privilege bulletins -- MS16-149 and MS16-151 -- in Windows and the Windows kernel mode drivers, respectively, as well as two information disclosure issues -- MS16-152 and MS16-153 -- in the Windows kernel and Common Log File System driver. These patches should be remediated during the normal course of patching. 

Next Steps

Catch up on the Nov. 2016 Patch Tuesday news.

Learn more about Microsoft's Project Springfield fuzz testing.

Find out what enterprises need to consider with automated patching technologies

Dig Deeper on Microsoft Patch Tuesday and patch management