Microsoft’s December Patch Tuesday is already a fact. MS15-DEC contains twelve security bulletins, eight of which critical and four – important. All critical updates are dealing with remote code execution vulnerabilities. Two of the important updates are taking care of elevation of privilege flaws, and the other two – remote code execution. Let’s go through them together and see what they are about in details.
Before we proceed, have a look at November 10 Patch Tuesday to refresh your memory on Windows-themed information scarcity.
As with previous Patch Tuesdays, information about the security updates is not efficient enough. However, going through the updates’ descriptions is an advice that should be accepted by default. Worst case scenario is a user installs updates that either push Windows 10 or drop down legal spyware services onto the computer. Or both at the same time.
MS15-124 – Critical, Requires Restart
This bulletin is defined as a Cumulative Security Update for Internet Explorer. Its KB number is 3116180. According to its official description, KB 3116180 serves to resolve vulnerabilities in Internet Explorer, the most severe of which could allow remote code execution. A successful attack exploiting this flaw would involve a user viewing a particularly crafted webpage via Explorer.
MS15-125 – Critical, for Windows 10, Requires Restart
This bulletin is a Cumulative Security Update for Microsoft Edge. Its KB number is 3116184. It is aimed at patching vulnerabilities, allowing remote code execution. The description of MS15-124 applies to MS15-125, including the necessity to reboot the machine to complete the update.
MS15-126 – Critical, May Require Restart
This security bulletin is a cumulative update for JScript and VBScript. It also addresses remote code execution. Its KB number is 3116178. KB 3116178 resolves vulnerabilities in the VBScript engine in MS.
Here is the official description:
The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that uses the Internet Explorer rendering engine to direct the user to the specially crafted website.
MS15-127 – Critical, Requires Restart
Or a security update for Microsoft Windows DNS which addresses remote code execution. Its KB number is 3100465. This particular update has been deemed icky by the SANS Institute:
Quote A remote code execution vulnerability in Microsoft’s DNS server. Microsoft rates the exploitability as “2”, but doesn’t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news in particular if you are using a Microsoft DNS server exposed to the public internet.
Security experts’ advice is to proceed with the update as soon as possible, since such vulnerabilities are bound to happen this time around.
MS15-128 – Critical, Requires Restart
This security update is addressing remote code execution is MS Graphics Component. Also known as KB 3104503, the update resolves flaws in MS, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. These vulnerabilities could be triggered if a user executes a specifically crafted document or visits a website that contains embedded fonts.
MS15-129 – Critical, Doesn’t Require Restart
Also known as KB 3106614, this security update for Silverlight addresses remote code execution, particularly flaws in MS Silverlight. This is what Microsoft says:
The most severe of the vulnerabilities could allow remote code execution if Microsoft Silverlight incorrectly handles certain open and close requests that could result in read- and write-access violations. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit a compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements.
MS15-130 – Critical, Requires Restart
Also known as KB 3108670, this security update for MS Uniscribe also addresses remote code execution.
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts.
MS15-131 – Critical, May Require Restart
KB 3116111 or MS15-131 resolves remote code execution flaws in Microsoft Office. The most severe of these vulnerabilities could enable remote code execution, when a user opens a specially crafted Microsoft Office file.
MS15-132 – Important, May Require Restart
KB 3116162 is a security update for Microsoft Windows to address remote code execution. Having in mind the nature of exploitation, why is this update important instead of critical?
Let’s have a look at the KB 3116162 article:
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker accesses a local system and runs a specially crafted application.
Nothing new here. Also, note that:
All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
MS15-133 – Important, Requires Restart
KB 3116130 is a security update for Windows PGM and addresses elevation of privilege vulnerabilities.
The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs a specially crafted application that, by way of a race condition, results in references to memory locations that have already been freed. Microsoft Message Queuing (MSMQ) must be installed and the Windows Pragmatic General Multicast (PGM) protocol specifically enabled for a system to be vulnerable. MSMQ is not present in default configurations and, if it is installed, the PGM protocol is available but disabled by default.
MS15-134 – Important, May Require Restart
KB 3108669 is a security patch for Windows Media Center that aims at remote code execution in MS. Some of the more severe flaws could allow remote code execution if Windows Media Center executes a particularly crafted .mcl file that contains malicious code.
MS15-135 – Important, Requires Restart
KB 3119075 is a security fix for Windows kernel-mode drivers that addresses elevation of privilege flaws. Such vulnerabilities could allow elevation of privilege if an attacker logs on to a target system and runs a specially crafted application.
What about the Cumulative Update for Windows 10 – KB 3116900?
The official KB article just released by Microsoft doesn’t offer much information. Basically, the KB 3116900 description only says that improvements are included in the functionality of Win10 Threshold 2. Also, it addresses the following vulnerabilities:
3119075 MS15-135: Security update for Windows kernel mode drivers to address elevation of privilege: December 8, 2015
3116130 MS15-133: Security updates for Windows RMCAST to address elevation of privilege: December 8, 2015
3116162 MS15-132: Security updates for Windows to address elevation of privilege: December 8, 2015
3104503 MS15-128: Security updates for Microsoft graphics component to address remote code execution: December 8, 2015
3116178 MS15-126: Security updates for Microsoft VBScript and JScript to address remote code execution: December 8, 2015
3116184 MS15-125: Cumulative security update for Microsoft Edge: December 8, 2015
3116180 MS15-124: Cumulative security update for Internet Explorer: December 8, 2015
Also, learn how to fix the error caused by KB 3122947.
Why do some Windows updates require system restart, and others don’t?
The reasons for these differences are purely technical. If an update is aimed at changing a file within memory that must be running so that the operating system works accurately, the file cannot be changed while working. Windows will have to shut down first. The update will happen either upon shutting down or starting up. Some updates of the sort take place while both of the processes are happening.
Overall, Windows doesn’t require a restart if an update alters a file that isn’t in use. In addition, some non-critical updates can wait for the next ‘natural’ Windows shutdown/reboot process.