Security Experts:

Microsoft Fixes Critical Vulnerabilities in Windows, IE, Edge

The security bulletins released by Microsoft on Tuesday patch tens of critical and important vulnerabilities found in the company’s products.

The November 2015 Patch Tuesday updates include a dozen security bulletins that address issues in Windows, Internet Explorer, Edge, Office, Lync, Skype for Business, and the .NET Framework.

The security bulletins resolve 49 vulnerabilities, more than 30 of which have been rated critical. The four critical bulletins address remote code execution flaws in Windows, Internet Explorer and Edge. As highlighted by vulnerability management firm Qualys, the number of security holes identified in Edge is considerably smaller than the number of bugs found in Internet Explorer.

“Edge is clearly more secure than Internet Explorer and a solid choice as your Internet Browser if your users can run all their business applications with it,” explained Wolfgang Kandek, CTO of Qualys.

One of the critical bulletins is MS15-115, which fixes multiple remote code execution flaws related to how the Adobe Type Management library in Windows handles embedded fonts, and several privilege escalation and information disclosure vulnerabilities in the Windows kernel.

Another critical bulletin is MS15-112, which patches over two dozen remote code execution, privilege escalation, information disclosure, and security bypass vulnerabilities in Internet Explorer. Four of these issues have also been fixed in Microsoft Edge with the release of the MS15-113 bulletin.

A critical heap overflow flaw has also been addressed in Windows. The security bug allows an attacker to remotely execute arbitrary code by getting a victim to open a specially crafted file in Windows Journal.

Microsoft has also patched an “important” vulnerability that can be exploited in attacks against drives encrypted with the BitLocker tool. The flaw will be detailed this week at Black Hat Europe in Amsterdam by Ian Haken.

According to Tripwire researcher Craig Young, system administrators should also treat the MS15-121 bulletin as a high priority update.

“With bulletin MS15-121, Microsoft is taking an important step towards hardening secure connections established through Microsoft's SChannel library. With this update in place services can now utilize extended master secret computation needed to protect against the ‘Triple Handshake’ attack documented by a team of researchers (including a Microsoft engineer) in March 2014,” Young told SecurityWeek.

“While Microsoft has rated this patch as important, systems administrators using client based certificate authentication should treat this update as high priority for both clients and servers because the described attack can allow a malicious server to inject data into the beginning of a session and potentially interact with a site in defiance of the same-origin policy,” the expert explained. “Additionally, variations of this attack can enable attackers to impersonate clients on other protocols that use TLS-based authentication. This makes this patch a key priority for VPN servers utilizing PEAP and Active Directory deployments with SASL bindings are also likely to need attention.”

Microsoft says it’s not aware of any attempts to exploit these vulnerabilities in the wild. However, the advisory for MS15-115 shows that one of the Windows kernel memory information disclosure vulnerabilities (CVE-2015-6109) has been publicly disclosed.

“As Microsoft's record setting bulletin number continues to climb, we see all of the usual suspects once again. Microsoft's browsers (Internet Explorer and Edge), along with Office, .NET, and the Windows Kernel all appear to have standing invites to Patch Tuesday every year but we're definitely seeing new contenders for regular spots this year. Windows Journal and Lync/Skype for Business are definitely at the top of that list making numerous appearances this year,” Tyler Reguly, security research manager for Tripwire, told SecurityWeek.

The Microsoft Malicious Software Removal Tool (MSRT) has also been updated. A total of 29 malware families have been added to the tool this year, including some prevalent file-encrypting ransomware families such as Crowti (Reveton), Critroni (CTB-Locker), Teerac and Teslacrypt.

Adobe also released security updates on Tuesday. The company patched a total of 17 Flash Player vulnerabilities, many of which can be exploited for code execution. Google released a new version of Chrome 46 to update Flash and to address a serious information leak in PDF viewer. The researcher who found the flaw, Rob Wu, has been awarded $4,000 for his work.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.