Apple Patches Everything
And to not be outdone by Microsoft and Adobe, Apple just released patches for:
iOS 9.2
A total of 50 vulnerabilities (CVE IDs) are addressed. About 10 of them affect WebKit and may lead to arbitrary code execution by visiting a malicious website. There are a large number of additional remote code execution vulnerabilities in various iOS components that are patched.
watchOS 2.1
A lot of overlap with patches released for iOS, but no WebKit issues as watchOS does not include a browser.
XCode 7.2
Updates to git, otools and IDE SCM. The git update fixes a number of vulnerablities that have been known (and fixed) in the open source software for a while.
OS X 10.11.2 (and Security Update 2015-008 for Mavericks and Yosemite)
updates to various open sources packages (libressl, OpenSSH, libxml2 and others). Also improvements to some hardware drivers (e.g. thunderbolt)
Safari 9.0.2
fixes webkit issues for Yosemite, Mavericks and Ell Capitan
tvOS
This affects the just released 4th generation Apple TV and addresses similar vulnerabilities as the new version of iOS.
Details can be found as usual here: https://support.apple.com/en-us/HT201222
Adobe Flash Update
As usual, Adobe is joining Microsoft on Patch Tuesday. So far there is only one bulletin, APSB15-32 with a patch for Adobe Flash Player. It fixes a total of 77 vulnerabilities (if I counted right...) .
[1] https://helpx.adobe.com/security/products/flash-player/apsb15-32.html
December 2015 Microsoft Patch Tuesday
Special Note: MS15-127 looks particularly "nasty". A remote code execution vulnerability in Microsoft's DNS server. Microsoft rates the exploitability as "2", but doesn't provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news in particular if you are using a Microsoft DNS server exposed to the public internet. In this case, I would certainly expedite this patch. This is the vulnerability to look out for this time around.
Overview of the December 2015 Microsoft patches and their status.
| # | Affected | Contra Indications - KB | Known Exploits | Microsoft rating(**) | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS15-124 | Cumulative Security Update for Internet Explorer (Replaces MS15-124 ) | |||||
| Internet Explorer CVE-2015-6083, CVE-2015-6134, CVE-2015-6135, CVE-2015-6136, CVE-2015-6138, CVE-2015-6139, CVE-2015-6140, CVE-2015-6141, CVE-2015-6142, CVE-2015-6143, CVE-2015-6144, CVE-2015-6145, CVE-2015-6146, CVE-2015-6147, CVE-2015-6148, CVE-2015-6149, CVE-2015-6150, CVE-2015-6151, CVE-2015-6152, CVE-2015-6153, CVE-2015-6154, CVE-2015-6155, CVE-2015-6156, CVE-2015-6157, CVE-2015-6158, CVE-2015-6159, CVE-2015-6160, CVE-2015-6161, CVE-2015-6162, CVE-2015-6162 |
KB 3116180 | no. | Severity:Critical Exploitability: 1-4 |
Critical | Critical | |
| MS15-125 | Cumulative Security Update for Microsoft Edge (Replaces MS15-112 ) | |||||
| Microsoft Edge CVE-2015-6139 CVE-2015-6140, CVE-2015-6142, CVE-2015-6148, CVE-2015-6151, CVE-2015-6153, CVE-2015-6154, CVE-2015-6155, CVE-2015-6158, CVE-2015-6159, CVE-2015-6161, CVE-2015-6168, CVE-2015-6169, CVE-2015-6170, CVE-2015-6176 |
KB 3116184 | no. | Severity:Critical Exploitability: 1-4 |
Critical | Critical | |
| MS15-126 | Cumulative Security Update for JScript and VBScript (Replaces MS15-066 ) | |||||
| JScript/VBScript (IE8,Vista and 2008 only) CVE-2015-6135 CVE-2015-6136 |
KB 3116178 | no. | Severity:Critical Exploitability: 2,1 |
Critical | Critical | |
| MS15-127 | Remote Code Execution in Microsoft Windows DNS (Replaces MS12-017 ) | |||||
| Microsoft DNS Server CVE-2015-6125 |
KB 3100465 | no. | Severity:Critical Exploitability: 2 |
N/A | Critical | |
| MS15-128 | Remote Code Execution Vulnerability in Microsoft Graphics Component (Replaces MS15-115 ) | |||||
| various components (.Net, Lync, Silverlight, Skype..) CVE-2015-6106 CVE-2015-6107 CVE-2015-6108 |
KB 3104503 | no. | Severity:Critical Exploitability: 1,1,1 |
Critical | Critical | |
| MS15-129 | Remote Code Execution in Microsoft Silverlight (Replaces MS15-080 ) | |||||
| Silverlight CVE-2015-6114 CVE-2015-6165 CVE-2015-6166 |
KB 3106614 | no. | Severity:Critical Exploitability: 2,2,1 |
Critical | Important | |
| MS15-130 | Remote Code Execution in Microsoft Uniscribe (Replaces MS14-036 ) | |||||
| Uniscribe CVE-2015-6130 |
KB 3108670 | no. | Severity:Critical Exploitability: 3 |
Critical | Important | |
| MS15-131 | Remote Code Execution Vulnerability in Microsoft Office (Replaces MS15-116 ) | |||||
| Office CVE-2015-6040 CVE-2015-6118 CVE-2015-6122 CVE-2015-6124 CVE-2015-6172 CVE-2015-6177 |
KB 3116111 | no. | Severity:Critical Exploitability: 1,1,1,1,1,1 |
Critical | Important | |
| MS15-132 | Remote Code Execution in Microsoft Windows (Replaces MS15-122 MS15-115 ) | |||||
| Windows CVE-2015-6128 CVE-2015-6132 CVE-2015-6133 |
KB 3116162 | no. | Severity:Important Exploitability: 2,2,2 |
Critical | Important | |
| MS15-133 | Privilege Escalation Vulnerability in Windows PGM | |||||
| Microsoft Message Queuing (MSMQ) CVE-2015-6126 |
KB 3116130 | no. | Severity:Important Exploitability: 2 |
Important | Important | |
| MS15-134 | Remote Code Execution in Windows Media Center (Replaces MS15-100 ) | |||||
| Windows Media Center CVE-2015-6127 CVE-2015-6131 |
KB 3108669 | no. | Severity:Important Exploitability: 2,2 |
Critical | Important | |
| MS15-135 | Privilege Elevation Vulnerability in Windows Kernel-Mode Drivers (Replaces MS15-122 MS15-115 ) | |||||
| Kernel-Mode Drivers (Library Loading) CVE-2015-6171 CVE-2015-6173 CVE-2015-6174 CVE-2015-6175 |
KB 3119075 | yes (CVE-2015-6175). | Severity:Important Exploitability: 1,1,1,4 |
Important | Important | |
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds a\ re typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more tim\ e to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.
Patch Tuesday Warmup: Internet Explorer Sunset and Windows XP Embedded End of Support
As we are waiting for the Microsoft Santa to slide down our Data Center air conditioning duct later today to deliver a delicious package of patches (did you leave some floppy disks and a can of red bull out for him?), we got a couple other announcements from Microsoft that should not be overlooked:
- January will be the last month Microsoft will provide updates for any Internet Explorer version other than Internet Explorer 11! Even Internet Explorer 10 will no longer be supported after January patch Tuesday (January 12th, 2016).
- Support will also end for Windows XP Embedded. This will also make it more difficult for other Windows XP left-overs that tricked their version to use the Embedded updates. But nobody should be running XP anyway (right?).
- Still running Windows 7 or 8.1 (sure way to stay on MSFT Santa's "naughty" list)? Rumor has it that with today's patch Tuesday, Microsoft may re-enable the auto-upgrade to Windows 10. You may flip the switch back to not update, but it will set itself to "on" once a day.
[1] https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
[2] https://support.microsoft.com/en-us/lifecycle/search/default.aspx?=&alpha=Windows%20XP
[3] http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html#tk.rss_all
Comments