3. Best Practices
Privilege Management
Mitigates Impact of
many exploits
High Threat Level vulnerabilities
warrant fast rollout. 2 weeks or
less is ideal to reduce exposure.
User Targeted – Whitelisting
and Containerization
mitigate
4.
5. Industry News
Is Edge the most secure browser? Microsoft likes to claim so, but researchers
are arguing otherwise. Edge SMARTSCREEN can apparently be used to
scam users into clicking malicious links.
https://www.onmsft.com/news/flaw-in-microsoft-edge-can-turn-smartscreen-into-scamming-device-say-researchers
Mozilla Zero Day! Update 50.0.2 was released on November 30th. If you have
not already, update your Mozilla browsers.
http://www.zdnet.com/article/firefox-zero-day-mozilla-tor-issue-critical-patches-to-block-active-attacks/
Adobe Flash Zero Day update released on Patch Tuesday.
https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/
November Patches had a number of known issues reported later in the month.
Most seem to be around Lenovo hardware that have an update available.
https://technet.microsoft.com/en-us/library/security/ms16-nov.aspx
Some Lenovo servers do not start after this update is installed. Lenovo is aware of this problem and has released a UEFI update to address it.
In the interim, Microsoft has changed the detection logic in the update to prevent additional customers from being affected. For more
information, see https://support.lenovo.com/us/en/solutions/ht502912.
6. CSWU-043: Cumulative update for Windows 10: December, 2016
Maximum Severity: Critical
Affected Products: Windows 10, Edge, Internet Explorer,
Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are
described in the following Microsoft security bulletins and advisory: MS16-144, MS16-145, MS16-147, MS16-149, MS16-150, MS16-151,
MS16-152, MS16-153
Impact: Remote Code Execution, Elevation of Privilege,
Fixes 26 vulnerabilities:
CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284,
CVE-2016-7287, CVE-2016-7181, CVE-2016-7206, CVE-2016-7280, CVE-2016-7286, CVE-2016-7288, CVE-2016-7296,
CVE-2016-7297, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292,
CVE-2016-7271, CVE-2016-7259, CVE-2016-7260, CVE-2016-7258, CVE-2016-7295
Restart Required: Requires Restart
7. SB16-005, SB16-006, SB16-007: December, 2016 Security Only
Update
Maximum Severity: Critical
Affected Products: Windows, Internet Explorer
Description: This update is the Security Only Quality Update for Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 systems:
MS16-144, MS16-146, MS16-147, MS16-149, MS16-151, MS16-153
Impact: Remote Code Execution, Elevation of Privilege,
Fixes 17 vulnerabilities:
CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284,
CVE-2016-7287, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292,
CVE-2016-7259, CVE-2016-7260, CVE-2016-7295
Restart Required: Requires Restart
8. CR16-005, CR16-006, CR16-007: December, 2016 Security Monthly
Quality Update
Maximum Severity: Critical
Affected Products: Windows, Internet Explorer
Description: This update is the Security Only Quality Update for Windows 7, 8.1, Server 2008 R2, 2012, and 2012 R2 systems:
MS16-144, MS16-146, MS16-147, MS16-149, MS16-151, MS16-153
Impact: Remote Code Execution, Elevation of Privilege,
Fixes 17 vulnerabilities:
CVE-2016-7202, CVE-2016-7278, CVE-2016-7279, CVE-2016-7281, CVE-2016-7282, CVE-2016-7283, CVE-2016-7284,
CVE-2016-7287, CVE-2016-7257, CVE-2016-7272, CVE-2016-7273, CVE-2016-7274, CVE-2016-7219, CVE-2016-7292,
CVE-2016-7259, CVE-2016-7260, CVE-2016-7295
Restart Required: Requires Restart
9. MS16-144: Cumulative Security Update for Internet Explorer (3204059)
Maximum Severity: Critical
Affected Products: IE
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow
remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the
vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker
could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with
full user rights.
Impact: Remote Code Execution
Fixes 9 vulnerabilities:
CVE-2016-7202(Publicly Disclosed), CVE-2016-7278, CVE-2016-7279, CVE-2016-7281(Publicly Disclosed), CVE-2016-
7282(Publicly Disclosed), CVE-2016-7283, CVE-2016-7284, CVE-2016-7287
Restart Required: Requires Restart
10. MS16-145: Cumulative Security Update for Microsoft Edge (3204062)
Maximum Severity: Critical
Affected Products: Edge
Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote
code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities
could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system
could be less impacted than users with administrative user rights.
Impact: Remote Code Execution
Fixes 10 vulnerabilities:
CVE-2016-7206(Publicly Disclosed),CVE-2016-7279, CVE-2016-7280, CVE-2016-7281(Publicly Disclosed), CVE-2016-
7282(Publicly Disclosed), CVE-2016-7286, CVE-2016-7287, CVE-2016-7288, CVE-2016-7296, CVE-2016-7297
Restart Required: Requires Restart
11. MS16-146: Security Update for Microsoft Graphics Component (3204066)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow
remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are
configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 3 vulnerabilities:
CVE-2016-7257, CVE-2016-7272, CVE-2016-7273
Restart Required: Requires Restart
12. MS16-147: Security Update for Microsoft Uniscribe (3204063)
Maximum Severity: Critical
Affected Products: Windows
Description: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution
if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user
rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 1 vulnerabilities:
CVE-2016-7274
Restart Required: Requires Restart
13. MS16-148: Security Update for Microsoft Office (3204068)
Maximum Severity: Critical
Affected Products: Office, SharePoint and Office WebApps
Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow
remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities
could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative user rights.
Impact: Remote Code Execution
Fixes 16 vulnerabilities:
CVE-2016-7257, CVE-2016-7262, CVE-2016-7263, CVE-2016-7264, CVE-2016-7265, CVE-2016-7266, CVE-2016-7267, CVE-2016-
7268, CVE-2016-7275, CVE-2016-7276, CVE-2016-7277, CVE-2016-7289, CVE-2016-7290, CVE-2016-7291, CVE-2016-7298,
CVE-2016-7300
Restart Required: May Require Restart
14. MS16-154: Security Update for Adobe Flash Player (3209498)
Maximum Severity: Critical
Affected Products: Windows, Adobe Flash Player
Description: This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows
8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
Impact: Remote Code Execution
Fixes 17 vulnerabilities:
CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-
7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881,
CVE-2016-7890, CVE-2016-7892
Restart Required: Requires Restart
15. MS16-155: Security Update for .NET Framework (3205640)
Maximum Severity: Important
Affected Products: Windows, .Net Framework
Description: This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A
security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the
Always Encrypted feature.
Impact: Information Disclosure
Fixes 1 vulnerabilities:
CVE-2016-7270 (Publicly Disclosed)
Restart Required: Requires Restart
16. APSB16-39: Security Update for Adobe Flash Player
Maximum Severity: Critical
Affected Products: Adobe Flash Player Desktop Runtime, Google Chrome, Microsoft
Edge and Internet Explorer 11 and Adobe Flash Player for Linux
Description: This security update resolves use-after-free vulnerabilities that could lead to code execution, buffer overflow
vulnerabilities and memory corruption issues in Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.
Impact: Remote Code Execution
Fixes 17 vulnerabilities:
CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870, CVE-2016-7871, CVE-2016-7872, CVE-2016-7873, CVE-2016-
7874, CVE-2016-7875, CVE-2016-7876, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-
2016-7890, CVE-2016-7892 (exploited in the wild)
Restart Required: Requires Restart
17. 2016-94: Security Update for Mozilla Firefox 50.1
Maximum Severity: Critical
Affected Products: Firefox
Description: This security update resolves a number of issues including use-after-free vulnerabilities that could lead to code
execution, buffer overflow vulnerabilities and memory corruption issues. If you have not already applied 50.0.2, zero day (CVE-2016-9079)
which was released on November 30th.
Impact: Remote Code Execution
Fixes 13 vulnerabilities:
CVE-2016-9893, CVE-2016-9080, CVE-2016-9903, CVE-2016-9902, CVE-2016-9901, CVE-2016-9904, CVE-2016-9900, CVE-2016-
9898, CVE-2016-9897, CVE-2016-9896, CVE-2016-9895, CVE-2016-9899, CVE-2016-9894
Restart Required: Requires Restart
18. MS16-149: Security Update for Microsoft Windows (3205655)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow
elevation of privilege if a locally authenticated attacker runs a specially crafted application.
Impact: Elevation of Privilege
Fixes 2 vulnerabilities:
CVE-2016-7219, CVE-2016-7292
Restart Required: Requires Restart
19. MS16-150: Security Update for Secure Kernel Mode (3205642)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a
locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the
vulnerability could violate virtual trust levels (VTL).
Impact: Elevation of Privilege
Fixes 1 vulnerabilities:
CVE-2016-7271
Restart Required: Requires Restart
20. MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if
an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an
affected system.
Impact: Elevation of Privilege
Fixes 2 vulnerabilities:
CVE-2016-7259, CVE-2016-7260
Restart Required: Requires Restart
21. MS16-152: Security Update for Windows Kernel (3199709)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure
when the Windows kernel improperly handles objects in memory.
Impact: Information Disclosure
Fixes 1 vulnerabilities:
CVE-2016-7258
Restart Required: Requires Restart
22. MS16-153: Security Update for Common Log File System Driver (3207328)
Maximum Severity: Important
Affected Products: Windows
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure
when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker
could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further
exploitation.
Impact: Information Disclosure
Fixes 1 vulnerabilities:
CVE-2016-7295
Restart Required: Requires Restart
25. Resources and Webinars
Get Shavlik Content Updates
Get Social with Shavlik
Sign up for next months
Patch Tuesday Webinar
Watch previous webinars
and download presentation.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/
User Targeted - Privilege Management Mitigates Impact
CVE-2016-7282 (Publicly Disclosed)
CVE-2016-7281 (Publicly Disclosed)
CVE-2016-7202 (Publicly Disclosed)CVE-2016-7206 (Publicly Disclosed)
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
The Security Only Quality Update is marked as Patch Type Security. This bundle includes multiple updates in a single installable package. This update does not include the Non-Security Updates and is not cumulative.
https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/
User Targeted - Privilege Management Mitigates Impact
CVE-2016-7282 (Publicly Disclosed)
CVE-2016-7281 (Publicly Disclosed)
CVE-2016-7202 (Publicly Disclosed)
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems.
The Security Only Quality Update is marked as Patch Type Security. This bundle includes multiple updates in a single installable package. This update does not include the Non-Security Updates and is not cumulative.
https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/
User Targeted - Privilege Management Mitigates Impact
CVE-2016-7282 (Publicly Disclosed)
CVE-2016-7281 (Publicly Disclosed)
CVE-2016-7202 (Publicly Disclosed)
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
CVE-2016-7202(Publicly Disclosed),
CVE-2016-7281(Publicly Disclosed),
CVE-2016-7282(Publicly Disclosed),
In a web-based attack scenario an attacker could host a website in an attempt to exploit the vulnerabilities. Additionally, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could be used to exploit the vulnerabilities. However, in all cases an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
CVE-2016-7206(Publicly Disclosed),
CVE-2016-7281(Publicly Disclosed),
CVE-2016-7282(Publicly Disclosed),
An attacker could host a specially crafted website that is designed to exploit the vulnerabilities through affected Microsoft browsers, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
User targeted vulnerabilities
There are multiple ways an attacker could exploit these vulnerabilities.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message
in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User Targeted - Privilege Management Mitigates Impact
Windows Uniscribe Remote Code Execution Vulnerability CVE-2016-7274
A remote code execution vulnerability exists in Windows due to the way Windows Uniscribe handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit this vulnerability.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message
or in an Instant Messenger message that takes users to the attacker's website,
or by opening an attachment sent through email.
In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User targeted vulnerabilities – Privilege Management Mitigates Impact
Exploitation of the vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
User targeted vulnerabilities
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Shavlik Priority:
Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Recommendation is within 2 weeks of release.
Shavlik Priority: Shavlik rates this bulletin as a Priority 1.
Vulnerability Details
These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-7872, CVE-2016-7877, CVE-2016-7878, CVE-2016-7879, CVE-2016-7880, CVE-2016-7881, CVE-2016-7892).
These updates resolve buffer overflow vulnerabilities that could lead to code execution (CVE-2016-7867, CVE-2016-7868, CVE-2016-7869, CVE-2016-7870).
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-7871, CVE-2016-7873, CVE-2016-7874, CVE-2016-7875, CVE-2016-7876).
These updates resolve a security bypass vulnerability (CVE-2016-7890).
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of a report that an exploit for CVE-2016-7892 exists in the wild, and is being used in limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.
Shavlik Priority: Shavlik rates this bulletin as a Priority 1.
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/
CVE-2016-9079 Zero Day resolved in 50.0.2.
A use-after-free vulnerability in SVG Animation has
Critical CVEs resolved in 50.1:
A buffer overflow in SkiaGl caused when a GrGLBuffer is truncated during allocation. Later writers will overflow the buffer, resulting in a potentially exploitable crash. been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.
Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption.
Mozilla developers and community members Kan-Ru Chen, Christian Holler, and Tyson Smith reported memory safety bugs present in Firefox 50.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in Firefox 50.0.2 and Firefox ESR 45.5.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
Shavlik Priority 2:
Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
Shavlik Priority 2:
Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
Shavlik Priority 2:
Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
Shavlik Priority 2:
Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
Shavlik Priority 2:
Shavlik rates this bulletin as a Important. This means the update should be implemented in a reasonable timeframe after adequate testing. Recommendation is 2 to 4 weeks
Sign up for Content Announcements:
Email http://www.shavlik.com/support/xmlsubscribe/
RSS http://protect7.shavlik.com/feed/
Twitter @ShavlikXML
Follow us on:
Shavlik on LinkedIn
Twitter @ShavlikProtect
Shavlik blog -> www.shavlik.com/blog
Chris Goettl on LinkedIn
Twitter @ChrisGoettl
Sign up for webinars or download presentations and watch playbacks:
http://www.shavlik.com/webinars/