J003-Content-PatchTue_SQNovember, for those of us who live in the U.S., is all about the beautiful autumn leaves, football games, turkey dinners and most important, giving thanks for all that we have. In the IT industry, sometimes we stay so busy that we forget to stop and think about all the amazing things that have happened in the technology world in our lifetimes and to express our gratitude for how it’s benefitted us all.

One thing that we should all be thankful for is the ongoing efforts that software vendors make to keep their products updated and make them safer for us to use. It’s easy for those who aren’t developers to say that operating systems and applications shouldn’t have security vulnerabilities to begin with, but anyone who has actually written complex code knows that’s much more easily said than done.  The sheer size of operating systems and major applications, and the fact that there are many different programmers working on different parts of those programs, often under heavy time constraints to get the product out by a deadline, all contribute to the shipping of software that has exploitable vulnerabilities.

Companies such as Microsoft and its top competitors in this business devote a huge chunk of their resources to finding and fixing those flaws before the bad guys can take advantage of them. I spent last week on the Microsoft campus learning more about their processes and although most of the information is under NDA (so I can’t talk about details), I can tell you that they are working constantly to improve the security of their products and services, with a number of exciting new security-related releases on the horizon.

This month we’re looking at an even dozen security updates from the Microsoft Security Response Center (MSRC) – a fairly heavy patching load but not a back-breaking one.  Ten are for Windows and/or its built-in components (IE, Edge), one is for Office and one is for Lync/Skype for Business.  Four of the updates for Windows are rated critical and the rest are classified as important.

We’ll take a look at each individually, and you can find more information in the November bulletin summary at https://technet.microsoft.com/en-us/library/security/ms15-nov.aspx

Critical

MS15-112 (KB 3104517). This is the usual cumulative update for Internet Explorer, and affects all currently supported versions of IE: 7, 8, 9, 10, and 11 and all versions of Windows client and server operating systems (excluding the server core installations, which don’t have a web browser installed).

There are 25 vulnerabilities addressed, most of which are memory corruption issues. Also included is an ASLR bypass vulnerability and an information disclosure vulnerability. The most severe of these can be used to accomplish remote code execution.

The update fixes the problems by changing the way IE itself, JScript, VBScript and other functions handle objects in memory, adding more permission validations and ensuring that the ASLR feature is properly implemented.

MS15-113 (KB 3104519) This is a cumulative update similar to MS15-112 but for Microsoft’s new Edge web browser that runs on Windows 10, including the “Threshold 2” version, also known as the Fall Update and identified in the Windows info dialog boxes as v.1511.

The update addresses four vulnerabilities, three of them memory corruption issues and the fourth being the ASLR bypass. The memory corruption vulnerabilities are rated critical on client systems and important on servers, whereas the ASLR bypass is rated important on clients and low on servers. There are no published mitigations or workarounds.

The update fixes the problems by changing the way Edge handles objects in memory and ensuring that ASLR is properly implemented.

MS15-114 (KB 3100213) This is an update for Windows Journal in supported versions of Windows Vista, Windows 7, and Windows Server 2008 and 2008 R2. Newer editions of the operating system are not affected.

The update addresses a single heap overflow type vulnerability in the Journal component of the OS, which an attacker can exploit to cause arbitrary code execution in the context of the logged-on user by convincing the user to open a specially crafted Journal file. There is a published workaround that includes removing the .jnt file type association, which will result in the inability to double click .jnt files to open them. You can also remove/disable Windows Journal completely. Instructions for these workarounds can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-114.aspx

The update fixes the problem by changing the way the Windows Journal parses Journal files.

MS15-115 (KB 3105864) This is an update for seven vulnerabilities in Windows. It affects all currently supported versions of the operating system, including Vista, Windows 7, Windows 8/8.1, Windows 10, Windows RT/RT 8.1 and Windows Server 2008, 2008 R2, 2012, and 2012 R2, including server core installations.

The vulnerabilities addressed include two Windows kernel memory elevation of privilege issues, two Windows kernel memory information disclosure issues, two Windows Graphics memory remote code execution vulnerabilities and a Windows kernel security feature bypass vulnerability. The most severe of these can allow for remote code execution and there are no published mitigations or workarounds for any of them.

The update fixes the problems by changing the way Windows handles objects in memory, the way Adobe Type Manager Library in Windows handles embedded fonts and the way the Windows kernel validates certain permissions.

Important

MS15-116 (KB 3104540) This is an update for Microsoft Office applications that affects Office 2007, 2010, 2013 and 2016, as well as Office 2013 RT and individual Office 2007 programs: Access, Excel, InfoPath, OneNote, PowerPoint, Project, Publisher, Visio and Word. It also affects Office for Mac 2011 and 2016, as well as the Office Compatibility Pack, Excel Viewer and Word Viewer. In addition, SharePoint Server 2007, 2010 and 2013 are affected, as well as Office Web Apps 2010 and 2013. Finally, Skype for Business 2016 and Lync 2013 are also affected by this update. It is rated important.

Note that only specific configurations of Office are affected and those configurations that are not affected won’t be offered the update.

The vulnerabilities that are addressed include five memory corruption issues, an elevation of privilege issue and an Outlook for Mac spoofing vulnerability, for a total of seven CVEs.  The memory corruption vulnerabilities can be exploited to accomplish remote code execution but a user would have to be convinced to open a specially crafted file.

The update fixes the problems by changing the way Office applications and services handle objects in memory, changing the way Outlook validates and sanitizes HTML input and making sure that IE doesn’t allow affected Office applications to be instantiated with a COM control.

MS15-117 (KB 3101722) This is an update for NDIS, the Network Driver Interface Specification, in Windows. It affects only Vista and Windows 7 clients and Windows Server 2008 and 2008 R2 server operating systems. The server core installation is also affected.  The rating is important for all of these.

The update addresses a single vulnerability, which is an elevation of privilege issue that occurs when NDIS fails to check buffer length before it copies memory into the buffer. The good news is that an attacker would have to be able to log onto the system in order to be able to exploit the vulnerability. There are no published mitigations or workarounds.

The update fixes the problem by changing the way NDIS validates buffer length.

MS15-118 (KB 3104507) This is an update for the .NET Framework in Windows. It affects versions 2.0, 3.5, 3.5.1, 4.5, 4.5.1, 4.5.2, 4.6 on Vista, Windows 7, 8, 8.1, RT, RT 8.1 and 10, and on Windows Server 2008, 2008 R2, 2012 and 2012 R2, including server core installations.  It is rated important for all.

There are three vulnerabilities addressed by the update, which include a .NET information disclosure issue, a .NET elevation of privilege issue and a .NET ASLR bypass issue. There is a published workaround for the EoP vulnerability, which includes removing requestPathInvalidCharacters key from web.config. Instructions for doing so can be found in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-118.aspx

The update fixes all three problems by changing the way ASP.NET validates the value of an HTTP request, the way the .NET Framework parses some specially crafted XML files and by making sure that the ASLR feature is properly implemented by .NET components.

MS15-119 (KB 3104521) This is an update for the Winsock component in Windows. It affects all current versions of the client and server operating systems: Vista, Windows 7, 8, 8.1, RT, RT 8.1 and 10, and Windows Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It is rated important for all of these.

Winsock is the Windows Sockets API that provides a standard interface between the TCP/IP protocol stack and TCP/IP client applications such as the web browser. This update addresses a single elevation of privilege issue that occurs when Winsock makes a call to a memory address without verifying that the address is valid. The attacker would have to be able to log onto the system to exploit the vulnerability. There are no published mitigations or workarounds.

The update fixes the problem by preventing Winsock from accessing invalid memory addresses.

MS15-120 (KB 3102939) This is an update for IPsec in Windows. It affects Windows 8 and 8.1, RT and RT 8.1 and Windows Server 2012 and 2012 R2, including the server core installations. It is rated important for all of these.

The update addresses a single denial of service vulnerability that occurs when IPsec doesn’t handle encryption negotiation properly. An attacker must have valid credentials to exploit this vulnerability. There are no published mitigations or workarounds for this vulnerability.

The update fixes the problem by including an additional check for verifying encryption negotiation.

MS15-121 (KB 3081320) This is an update for the Schannel component in Windows. It affects all supported client and server operating systems except Windows 10. Those affected are Vista, Windows 7, 8, 8.1, RT and RT 8.1, and Windows Server 2008, 2008 R2, 2012 and 2012 R2. It is rated important for all affected systems.

Schannel, or Secure Channel, is a security support provider that is used for SSL and TLS encryption. The update addresses a TLS triple handshake vulnerability in this component that could be exploited to allow spoofing via a man-in-the-middle (MITM) attack. There are no mitigations or workarounds published for this vulnerability.

The update fixes the problem by adding extended master secret binding support to TLS.

MS15-122 (KB 3105256)  This is an update for the Kerberos protocol in Windows. It affects all currently supported client and server operating systems except Windows RT/RT 8.1.  Those affected include Vista, Windows 7, 8, 8.1 and 10, and Windows Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations. It is rated important for all of these.

The single vulnerability that is addressed by this update is a security features bypass issue that occurs when Kerberos doesn’t check a user’s password to authenticate the user when that user logs onto a workstation. This could enable an attacker to bypass authentication and decrypt BitLocker-encrypted drives. This only works if a domain user is logged into the targeted computer and BitLocker on that computer has to be enabled without a PIN or USB key, which mitigates the threat. There are no workarounds published for this vulnerability.

The update fixes the problem by putting in an additional authentication check, which runs prior to a password change.

MS15-123 (KB 3105872) This is an update for Skype for Business and Lync. It affects Lync 2010 and 2013 and Skype for Business 2016, as well as Microsoft Lync Room System (LRS), which is the integrated hardware/software conferencing system created in partnership with Polycom, Creston, LifeSize and SMART. It is rated important for all of these.

The single vulnerability that is addressed by this update is a server input validation issue that can result in information disclosure, due to the fact that Skype for Business and Lync may improperly sanitize specially crafted content. The attacker could invite the victim to an instant message session, then send a message that contains JavaScript content that could be malicious. There are no published mitigations or workarounds for the vulnerability.

The update fixes the problem by changing the way Skype for Business and Lync clients sanitize content.