I går var det duket for årets siste «Patch Tuesday» fra Microsoft og i denne oppdateringen tetter selskapet flere sikkerhetshull.
Seks kritiske feil
Oppdateringen inneholder en rekke feilrettinger og forbedringer – blant annet fikses problemene som oppstår når «den valgte hjemmesiden i Internet Explorer har en ekstremt lang URL» og ved bytte av passord for lokal konto – den fikser også flere sikkerhetsfeil.
Microsoft har publisert en liste over sikkerhetsrettinger som inneholder elleve punkter, seks av dem er kritiske. Disse gjelder for Windows generelt, Internet Explorer, Edge, Office og .NET-rammeverket. I tillegg inkluderes en oppdatering fra Adobe – denne fikser en rekke problemer i Flash Player.
MS16-144 addresses a series of vulnerabilities deemed to be Critical by the company’s severity rating system, that could compromise Internet Explorer and the system it’s installed on. By exploiting the security flaws available previous to this patch, an attacker could get full control over an affected system. The attacker would need to chain exploits together by tricking a user into viewing a malicious website, elevating his privileges on the target machine and then taking full control.
MS16-145 relates to an issue in Microsoft Edge, also deemed to be Critical. By viewing a malicious website, a user’s machine could be hacked and the attacker might gain the same user rights as the victim. Users operating with fewer rights would be less impacted than those operating as administrators.
MS16-146 is the third bulletin for this month dealing with a Critical issue, that could allow for remote code execution. This related to the Microsoft Graphics Component, which has received numerous security patches over the past few months. If an attacker tricks the user into opening a malicious website or document, he could get the same level of control over the machine as the user.
MS16-147 has to do with Microsoft Uniscribe, a set of APIs that allow for control for fine typography and for processing complex scripts. This issue is also deemed to be Critical, as an attacker could gain the same privileges as the current user, if the victim opens a malicious website or document.
MS16-148 is the final Critical patch to come out of Microsoft for this season. It has to do with Microsoft Office, Office Services and Office Web Apps. An attacker could end up running code remotely, with the same degree of freedom as the current user if the victim opens a malicious Microsoft Office file.
MS16-149 deals with an escalation of privileges issue in Microsoft Windows, and is deemed to be an Important patch. An attacker could gain administrative privileges over a system, if he ran a specially created application. However, the attacker would need to be local and already be authenticated on the system.
MS16-150 and MS16-151 have to do with Windows Kernel Mode and Kernel-Mode Drivers. An attacker could gain administrative privileges over a system if he’s able to locally run a specially crafted script.
MS16-152 and MS16-153 fix issues where Windows could end up leaking information in some scenarios. The first bulletin addresses a flaw with the way the Windows Kernel handles objects in memory, while the second one has to do with the Common Log File System Driver (CLFS). In this latter scenario an attacker could trick Windows into disclosing information by running a specially crafted application locally.
MS16-155 may be the last security update to come out of Redmond for 2016 and it addresses security flaws in the .NET Framework. Deemed to be an Important issue, this flaw allowed an attacked to access information defended by the “Always Encrypted” features in some versions of .NET 4.6.2
MS16-154 is the last security update on our list and it’s deemed to be a Critical one as some of these flaws are already being exploited in the wild. However, this patch isn’t from Microsoft, but rather from Adobe, and it fixes a number of issues found in Flash Player.