J003-Content-PatchTue_SQWhether or not you celebrate, you’re probably aware of a certain song that’s sung during this holiday season, recounting the all of the gifts (many of which consist of humans and birds) given to the singer by his or her true love. Well, Microsoft might not send you any calling birds or geese a-laying this month (thank goodness) but the company has gifted us with the ‘Twelve Patches of Christmas’ – or for those of a different persuasion, an even dozen security updates to keep us warm as the temperatures drop.

The December patches contain the usual suspects: cumulative updates for both Internet Explorer and Edge browsers, a couple of elevation of privilege issues, and fixes for several vulnerabilities that could be exploited to accomplish remote code execution.  What’s unusual is that eight of the 12 are rated critical, which lends a bit more urgency to the matter of getting them all applied before you kick back and enjoy your eggnog by the fireplace.

There’s even a patch this time for the seven-percenters – that small minority of Windows users who still enjoy Windows Media Center (a group to which I proudly belong to and will until they pry it from my cold, dead hands). It’s good to know that they haven’t completely forgotten us. Most of the rest of the patches are for Windows itself, with a couple for Office and one for Silverlight.

So here we go with this month’s updates. For more detailed information about each, see the Security Bulletin Summary on the TechNet web site at –
https://technet.microsoft.com/en-us/library/security/ms15-Dec

Critical

MS15-124 (KB 3116180)

This is the regular cumulative update for Internet Explorer that applies to versions 7, 8, 9, 10 and 11 (all supported versions) on all currently supported Windows client and server operating systems. Server core installations that do not include a web browser are not affected. It is rated critical on Windows clients and moderate on the server operating systems.

The update addresses a whopping 30 vulnerabilities, which include multiple memory corruption issues, information disclosure, XSS filter bypass, elevation of privilege and ASLR bypass vulnerabilities.  There is a workaround published for the scripting engine information disclosure vulnerability (CVE-2015-6135) and the scripting engine memory corruption issue (CVE-2015-6136). There is also a workaround for CVE-2015-6161, which is the ASLR bypass. There are no published mitigations or workarounds for any of the rest.

The update fixes these problems by changing the way IE, VBScript and certain functions handle objects in memory, preventing the XSS filter from disabling HTML attributes improperly, and ensuring that IE enforces content types and cross-domain policies correctly.

MS15-125 (KB 3116184)

This is the now-regular cumulative update for Microsoft Edge and it applies to the only released version of Edge, which runs only on Windows 10. It is rated critical, although some of the individual vulnerabilities are only rated important or moderate.

This update addresses exactly half as many vulnerabilities as its IE counterpart discussed above: 15 issues that similarly include multiple memory corruption vulnerabilities, elevation of privilege, ASLR bypass, XSS filter bypass, and also a spoofing vulnerability that wasn’t addressed in the IE update.

The update fixes these problems by changing the way IE, VBScript and certain functions handle objects in memory, preventing the XSS filter from disabling HTML attributes improperly, and ensuring that IE enforces content types and cross-domain policies correctly. It also corrects the way Edge parses HTTP responses and adds permission validations.

MS15-126 (KB 3116178)

This is a cumulative update for JScript and VBScript that affects those components running on Windows Vista and Server 2008, including the server core installation. Other versions of Windows client and server are not affected. The update is rated critical on both the client and server OS.

The update address two vulnerabilities, one of which is a scripting engine information disclosure issue and the other of which is a scripting engine memory corruption issue. There are workarounds published for both, which involve restricting access to VBScript.dll via the command line – however, this can negatively impact websites that run VBScript and cause them not to work properly. Exploit could lead to remote code execution.

The update fixes the problems by changing the way VBScript’s scripting engine handles objects in memory.

MS15-127 (KB 3100465)

This is an update to the DNS component in Windows that affects currently supported versions of the Windows Server operating system: Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect Windows client operating systems. It is rated critical for all affected systems.

This update addresses a single use-after-free vulnerability in the Domain Name System servers whereby they fail to properly parse requests. Exploit could result in remote code execution. There are no published mitigations or workarounds.

The update fixes the problem by changing the way the DNS servers parse requests.

MS15-128 (KB 3104503)

This is an update for the Microsoft Graphics component in all supported versions of the Windows client and server operating system, including server core installations and Windows RT/RT 8.1,  as well as the .NET Framework on all supported releases of Windows, Skype for Business 2016, Lync 2010 and 2013, and Microsoft Office 2007 and 2010.  It is rated critical on all affected software.

This update addresses three memory corruption vulnerabilities that occur within the graphics component when the Windows font library doesn’t handle specially crafted fonts as it should. This could lead to remote code execution. There are no mitigations or workarounds published. There are prerequisites for installing the updates on Lync 2013.

The update fixes the problems by changing the way the Windows font library handles embedded fonts.

MS15-129 (KB 3106614)

This is an update for Microsoft Silverlight v5 on Windows client and server operating systems and on Mac OS X. It is rated critical on all.

The update addresses three vulnerabilities: two information disclosure issues and a remote code execution vulnerability that occurs when Silverlight handles certain open and close requests that can result in read and write access violations. There are no mitigations published, but there is a workaround for the information disclosure vulnerabilities that involves temporarily preventing Silverlight from running in the web browser, or removing Silverlight.Configuration.exe from the IE ElevationPolicy in the registry.

The update fixes the problem by changing the way Silverlight handles certain open and close web requests and by changing the way memory is handled, to maintain the integrity of ASLR.

MS15-130 (KB 3106614)

This is an update to the Uniscribe component in Windows, which is a set of services that renders Unicode-encoded text. It affects only Windows 7 and Server 2008 R2, including the server core installation. It is rated critical for both.

The update addresses a single integer underflow vulnerability in Uniscribe that occurs when specially crafted fonts are parsed improperly. Exploit could result in remote code execution. There are no published mitigations or workarounds.

The update fixes the problem by making changes to the way Windows parses fonts.

MS15-131 (KB 3116111)

This is an update for Microsoft Office that affects Office 2007, 2010, 2013, 2013 RT and 2016, as well as Office for Mac 2011 and 2016, the Office Compatibility Pack SP3 and Excel Viewer.  It is rated important for some versions and editions and critical for others.

The update addresses six vulnerabilities, five of which are memory corruption issues and one of which is a remote code execution vulnerability that is caused by the way Outlook parses specially crafted email messages. There is a workaround published for the Outlook RCE vulnerability that involves disabling previewing messages or disabling reading Outlook messages in HTML.

The update fixes the problem by changing the way Office applications handle objects in memory.

Important

MS15-132 (KB 3116162)

This is an update for Windows library loading that affects all supported versions of the Windows client and server operating systems, including RT/RT 8.1 and the server core installations. It is rated Important for all versions and editions.

The update addresses three vulnerabilities, all of which involve Windows improperly validating input before loading libraries. Exploit could result in remote code execution. However, the attacker would have to have access to the local system; thus the important rating instead of critical. There are no published mitigations or workarounds.

The update fixes the problem by changing the way Windows validates input before loading libraries.

MS15-133 (KB 3116130)

This is an update for the Windows Pragmatic General Multicast (PGM) protocol in Windows. This protocol is not installed and enabled by default; systems where it has not been explicitly enabled are not affected. It can, however, be installed on any currently supported version of Windows client and server operating systems, including RT/RT 8.1 and server core editions.  Because only a small percentage of systems will have the protocol installed and enabled, this update is rated important rather than critical.

The update addresses a single use-after-free vulnerability in PGM, which if exploited could result in elevation of privilege. However, the attacker would have to be able to log onto the system in order to run a specially crafted application designed to create a race condition.  The low chance of the protocol being installed and enabled on a given system mitigates the threat. There are no published workarounds.

The update fixes the problem by deferring the cleanup of memory until the contents of memory no longer need to be accessed.

MS15-134 (KB 3108669)

This is an update for Windows Media Center in Windows Vista, Windows 7 and Windows 8 and 8.1. It is rated important for all versions and editions.

The update addresses a pair of vulnerabilities in the WMC component that include an information disclosure issue and a library parsing issue. The latter could, if exploited, result in remote code execution if WMC opens a specially crafted .mcl file that references malicious code. However, user interaction is required to achieve an exploit. Because the user is likely to receive a security warning if the exploit is attempted via IE or Edge, this mitigates the threat – as does the fact that WMC must be set up on the computer for the attack to work, and the majority of Windows users do not use it.  There is also a published workaround that involves unregistering the MCL protocol handler.

The update fixes the problem by changing the way WMC handles certain resources in the .mcl files.

MS15-135 (KB 3119075)

This is an update to the Windows kernel-mode drivers that affects all supported versions of the Windows client and server operating system, including RT/RT 8.1 and the server core installations. It is rated important for all.

The update addresses four vulnerabilities in the kernel-mode drivers that could be exploited to accomplish elevation of privilege and run arbitrary code in kernel mode. However, the attacker would have to be able to log onto the system in order to run a specialty crafted application. There are no published mitigations or workarounds.

The update fixes the problem by changing the way the Windows kernel and Windows font drivers handle objects in memory.