Microsoft has fixed 68 vulnerabilities this Patch Tuesday – including six that have been rated critical. The updates are spread across 14 security bulletins. The updates include fixes for two vulnerabilities that are currently being actively exploited, one of which (CVE-2016-7255) was announced by Google late last month.
Google took the decision to announce the vulnerability within 10 days of alerting Microsoft to the issue, even though Microsoft’s policy of issuing updates would result in the vulnerability being known for some time before a fix was released. Google has a policy of issuing alerts within seven days if vulnerabilities are being actively exploited. Otherwise Google provides companies with three months to address the flaws or issue advice to mitigate the threat.
Since CVE-2016-7255 was being actively exploited by Russian hackers (Fancy Bear/Strontium/APT28) the decision was made to publish details of the flaw promptly. Microsoft criticized Google’s decision saying that it would place users at greater risk of attack.
The vulnerability is in Windows kernel and could be exploited to allow elevation of privileges if a hacker logs in to an infected system and runs a specially crafted application. The Microsoft update makes changes to how the Windows kernel-mode driver handles objects in memory. The patch addressing the vulnerability is named MS16-135. Administrators should prioritize this update, as well as MS16-132 which also fixes flaws for which exploits exist.
MS16-132 is a security update for Microsoft Graphics Component which fixes four flaws, (CVE-2016-7205, CVE-2016-7210, CVE-2016-7217, and CVE-2016-7256). An exploit has been detected for CVE-2016-7256 – An open type font remote code execution vulnerability which can be exploited using specially crafted fonts in websites and documents. Attacks exploiting this vulnerability could potentially be used to take full control of an affected system.
Cumulative updates have been issued for Edge and Internet Explorer which address 17 vulnerabilities, many of which could lead to remote code execution. None are understood to be exploited in the wild, even though two have been publicly disclosed. An Adobe Flash update for Edge and IE has also been released.
While not rated as critical, the update for MS Office should be prioritized. None of the flaws are being actively exploited, although the update addresses 10 vulnerabilities that could result in remote code execution.
Microsoft SQL Server has also been patched with an update that resolves six vulnerabilities, although none are currently being exploited. If exploited, the vulnerabilities would allow attackers to create or modify user accounts, and view, change, or delete data.