Microsoft’s December 2016 Patch Tuesday updates include a total of 12 critical and important security bulletins that resolve vulnerabilities in Windows, Office, Internet Explorer and Edge.
Several of the vulnerabilities patched this week have already been publicly disclosed. For instance, the critical bulletin MS16-144 fixes eight remote code execution, security bypass and information disclosure flaws. Of these, CVE-2016-7282, CVE-2016-7281 and CVE-2016-7202 had been publicly disclosed before they were addressed by Microsoft.
The Edge browser is also affected by CVE-2016-7282 and CVE-2016-7281, along with an information disclosure flaw (CVE-2016-7206) whose existence has also been made public. Microsoft has patched a total of 11 flaws in Edge with the critical bulletin MS16-145.
Another critical bulletin is MS16-146, which resolves one information disclosure and two remote code execution vulnerabilities in Windows graphics components. A serious remote code execution weakness has also been fixed in Windows Uniscribe with the MS16-147 bulletin.
The bulletin that patches the largest number of security holes is MS16-148. It addresses 16 privilege escalation, information disclosure, security feature bypass, arbitrary code execution, and DLL sideloading flaws in Office, including Office for Mac.
The important bulletin MS16-155 also addresses a publicly disclosed vulnerability, namely an information disclosure bug in the .NET framework (CVE-2016-7270). The other important bulletins each fix one or two security holes in the Common Log File System (CLFS) driver, the kernel and various other Windows components.
One of the critical bulletins covers Flash Player, in which Adobe patched 17 vulnerabilities on Tuesday, including a zero-day exploited in targeted attacks.
“As we wrap up what is, hopefully, the final Microsoft patch drop of the year, the numbers are quite impressive -- 155 bulletins (a 15% increase over last year’s record breaking year) and more than 500 CVEs,” Tyler Reguly, manager of security research at Tripwire, told SecurityWeek. “With numbers like these from a single vendor, it shouldn't come as a surprise that IT organizations dealing with multiple vendors are struggling to stay on top of the patching process.”
Users have been reminded that starting with February 2017, security bulletins will be replaced by the Security Updates Guide, where they can view and search vulnerability information in a single online database.