Patch Tuesday of November 2016: Six Critical Bulletins, Eight Important
November is the second-to-last Patch Tuesday of 2016, and it brings a slightly higher than typical number of bulletins: six Critical bulletins and eight Important bulletins. The 8th is the earliest date that Patch Tuesday can take place in a month; December’s Patch Tuesday (and the last of 2016) takes place in exactly five weeks. Among the items fixed today was the zero-day vulnerability in Windows that was used in the same attacks at the Adobe Flash Player zero-day in late October.
Of the Critical bulletins, two are the (expected) Internet Explorer and Microsoft Edge roll-up bulletins (MS16-142 and MS16-129, respectively). One bulletin (MS16-141) also covers the Flash zero-day, and updates the version of Flash included with supported versions of Edge/Internet Explorer.
The remaining three Critical bulletins cover flaws in various Microsoft Windows components. As is typically the case, the vulnerabilities fixed in these bulletins could allow an attacker to run their own arbitrary code on an affected system.
As we noted at the start, one of the bulletins released today patched a vulnerability (CVE-2016-7255) which was used in targeted attacks in late October. This was MS16-135, which addressed flaws in Windows Kernel-mode drivers. This vulnerability allowed for escalation of privileges; used together with the Flash vulnerability this could allow an attacker to run code on a machine with administrator privileges, allowing them to take complete control of a machine.
Other highlights of the Important bulletins include MS16-133 which fixes various flaws in Microsoft Office, MS16-136 which does the same for Microsoft SQL Server, and MS-137 which fixes issues with how Windows authenticates users.
In sync with Patch Tuesday, Adobe also released a routine update for Adobe Flash Player. APSB16-37 bumps the latest version of Flash to 220.127.116.11 for most users and fixed nine vulnerabilities.
We recommend that users update their installed software as soon as is practical for their organizations.
Trend Micro researchers took part in the discovery of the following vulnerabilities:
- CVE-2016-7255 (MS16-135)
The following vulnerabilities were disclosed via Trend Micro’s Zero Day Initiative (ZDI):
Trend Micro Solutions
- 1007990-Microsoft Windows Multiple Security Vulnerabilities (MS16-134)
- 1008006-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2016-7196)
- 1008007-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2016-7198)
- 1008008-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7200)
- 1008009-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7201)
- 1008010-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7203)
- 1008011-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7242)
- 1008012-Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2016-7195)
- 1008013-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7202)
- 1008014-Microsoft Edge Information Disclosure Vulnerability (CVE-2016-7204)
- 1008015-Microsoft Internet Explorer And Edge Information Disclosure Vulnerability (CVE-2016-7227)
- 1008016-Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-7240)
- 1008017-Microsoft Internet Explorer And Edge Remote Code Execution Vulnerability (CVE-2016-7241)
- 1008018-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7213)
- 1008019-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7228)
- 1008020-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7229)
- 1008021-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7230)
- 1008022-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7231)
- 1008023-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7232)
- 1008024-Microsoft Office Information Disclosure Vulnerability (CVE-2016-7233)
- 1008025-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7234)
- 1008026-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7235)
- 1008027-Microsoft Office Memory Corruption Vulnerability (CVE-2016-7236)
- 1008029-Microsoft Windows Animation Manager Memory Corruption Vulnerability (CVE-2016-7205)
- 1008030-Microsoft Windows OpenType Font Information Disclosure Vulnerability (CVE-2016-7210)
- 1008031-Microsoft Windows Media Foundation Memory Corruption Vulnerability (CVE-2016-7217)
- 1008034-Microsoft Windows Multiple Security Vulnerabilities (MS16-135)
- 1008035-Microsoft Windows Multiple Elevation Of Privilege Vulnerabilities (MS16-138)
- 1008036-Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2016-7256)