Forgive your local Windows admin if they’re a little shy on holiday cheer in the coming days. Blame instead Microsoft for foisting upon them on Tuesday 71 security patches, including two for vulnerabilities in Office and the Windows kernel currently under attack.
Microsoft also issued a separate advisory that warns users of a leaked Xbox Live certificate and private key pair, which it has revoked. The certificate, however, could be used by attackers to carry out man-in-the-middle attacks, but Microsoft said it cannot be used to issue other certs, spoof domains or sign code.
“Microsoft is not currently aware of attacks related to this issue,” Microsoft said in its advisory.
Of more immediate concern should be today’s bulletins—Microsoft released a dozen bulletins today, eight of which it rates as Critical—in particular, the two vulnerabilities currently under attack. The Office vulnerability, CVE-2015-6124, is one of six patched in MS15-131, and is described only as a memory-corruption vulnerability, one of five such flaws patched in the bulletin. An attacker would have to entice a user to execute the malicious file by tricking them into opening it with a vulnerable version of Office software such as Word. The sixth is a remote code execution vulnerability that is exploited via maliciously crafted emails, which the user must either preview or read.
“Workstations and terminal servers on which Microsoft Outlook is install are at risk of this vulnerability,” Microsoft said in its advisory. “Servers could be more at risk if administrators allow users to log on to them to run programs. However, best practices strongly discourage allowing this.”
The other vulnerability under attack, CVE-2015-6175, is a kernel memory elevation of privilege in Windows; it’s one of four such flaws patched in MS15-135. An attacker would need local access and privileges to a vulnerable Windows client or server, and a successful exploit would allow an attacker to install malware or manipulate data on the compromised computer.
Another one to watch out for is MS15-27, a use-after-free vulnerability in Windows DNS that allows an attacker to remotely run code using just a crafted request to a DNS server.
“Microsoft has really given us a doozy of a Christmas present, with the ability for attackers to work a remote code execution with a DNS query,” said Bobby Kuzma, systems engineer at Core Security. “If your organization runs public-facing DNS servers on Windows, you’ve got a problem. If you’ve got internal DNS servers running Windows, then you’ve got an easy escalation path for attackers who are able to phish end users.”
As is customary, Microsoft has also released cumulative updates for its browsers Internet Explorer and Microsoft Edge. MS15-124, for IE, patches 30 vulnerabilities, including almost two dozen memory corruption vulnerabilities, in addition to multiple cross-site scripting filter bypass vulnerabilities, memory corruption and information disclosure flaws in the VBScript scripting engine, and separate ASLR bypass, information disclosure and elevation of privilege issues in the browser.
The bulletin for Microsoft Edge, MS15-125, patches 15 vulnerabilities in the Windows 10 browser, including critical remote code execution bugs resulting from memory corruption vulnerabilities.
Speaking of VBScript scripting engine, Microsoft also sent out MS15-126, a cumulative update for Jscript and VBScript. The bulletin patches two vulnerabilities, a memory corruption flaw, which can be exploited remotely, and an information disclosure flaw, which requires local access.
The three remaining Critical bulletins are:
- MS15-128: a security update for Microsoft Graphics Component patching remote code execution flaws in Windows, .NET, Office and other Microsoft products.
- MS15-129: a security update for Silverlight patching remote code execution vulnerabilities.
- MS15-130: a security update for Microsoft Uniscribe, which patches one remote code execution flaw.
There are also three other bulletins rated Important:
- MS15-132: a security update for Windows patching remote code execution vulnerabilities.
- MS15-133: a security update for Windows PGM that patches a elevation of privilege flaw.
- MS15-134: a security update for Windows Media Center that patches remote code execution vulnerabilities.
The final slate of scheduled Microsoft Patch Tuesday security bulletins for 2015 should also serve as a reminder that security support for all versions of Internet Explorer except for IE11 ends on Jan. 12.
Going forward, Microsoft has said it will support only the most current version of its browser, which for now, is IE11 running on Windows 7, Windows 8.1 and Windows 10.
Microsoft will also cut off its lifeline for Windows XP Embedded, used by OEMs wishing to deploy only certain components of the OS, rather than a full version of XP Professional. XP Embedded is a fixture in retail point-of-sale environments, areas heavily targeted by criminals.