December 2016 Patch Tuesday saw Microsoft correct 34 separate flaws across 12 bulletins. Six bulletins are rated as critical, the remaining 6 are rated important. The latest round of patching rounds off a year that has been a record-breaker for Microsoft. More Windows patch bulletins have been released in 2016 than in past years. The number of patch bulletins released in 2016 is 15% higher than last year, which was also a record breaking year. The yearly total of Windows patch bulletins now stands at 155 after December 2016 Patch Tuesday. The record was broken in November when the total exceeded the previous record of 135 Windows patch bulletins. With so many patch bulletins it can be difficult for organizations to keep on top of the updates.
The critical flaws addressed on December 2016 Patch Tuesday are: MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, MS16-154. Those bulletins correct vulnerabilities in Windows, Microsoft Edge, Microsoft Office, and Internet Explorer.
MS16-144 and MS16-145 address critical vulnerabilities in the Internet Explorer and Microsoft Edge browsers respectively. The vulnerabilities would allow attackers to remotely execute code if users were convinced to visit a specially crafted webpage. If exploited, the vulnerabilities could result in an attacker taking full control of the device. MS16-147 affects Microsoft Uniscribe and could similarly be exploited via a specially crafted webpage, which could lead to remote code execution.
MS16-146 is a patch for Microsoft Graphics Component which addresses two security flaws in Windows graphics components, as well as plugging a Windows GDI information disclosure vulnerability.
MS16-148 addresses a flaw in Microsoft Outlook which could be exploited using a specially crafted email message. The flaw could be exploited without any user interaction via the Outlook preview panel. If exploited, it would allow an attacker to run arbitrary code in the context of the current user.
MS16-154 contains a slew of fixes for Adobe Flash. The flaws could be exploited resulting in remote code execution. The bulletin plugs 7 use-after-free vulnerabilities, four buffer overflow vulnerabilities, one security bypass flaw, and five memory corruption flaws.