Microsoft today patched a half-dozen critical browser vulnerabilities that have been publicly disclosed, but apparently not used in attacks as of yet.
The critical Internet Explorer and Microsoft Edge bulletins are among six released today, along with six others with a severity rating of important. Today’s patches cap off a year in which there was a 15 percent increase in the number of Microsoft security bulletins, according to research from Qualys.
“Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities,” said Amol Sarwate, director of Qualys Vulnerability Labs.
The Edge bulletin, MS16-145, patches 11 vulnerabilities, most of which are remote code execution vulnerabilities. The three publicly disclosed vulnerabilities, however, are two information disclosure bugs (CVE-2016-7206 and CVE-2016-7282) and a security feature bypass (CVE-2016-7281). The security feature bypass exists because of the way the browser applies the Same Origin Policy for scripts running inside Web Workers, Microsoft said. The Same Origin Policy prevents browsers from running scripts and accessing content that doesn’t originate from the same site.
The Edge bulletin also patches seven memory corruption vulnerabilities that lead to remote code execution; two are in the browser and five are in Microsoft scripting engines.
The IE bulletin, MS16-144, also includes fixes for four vulnerabilities also patched in Microsoft Edge; eight flaws are patched in total. Two of the three publicly disclosed Edge bugs were also found in IE, while the third publicly available bug, CVE-2016-7202, is a memory corruption vulnerability in the scripting engine. Microsoft said none of the available bugs have been used in attacks.
The remaining critical bulletins start with MS16-146, an update for the Microsoft Graphics Component. It includes patches for two remote code execution vulnerabilities and an information disclosure bug in Windows GDI that can be exploited online or by convincing a victim to open a document containing the exploit. MS16-147 takes care of a single remote code execution flaw in Microsoft Uniscribe, Windows services that render Unicode text. MS16-148, meanwhile, is a critical Office bulletin that patches 16 vulnerabilities. The flaws put Office users at risk for remote code execution; the bulletin patches information disclosure, security feature bypass, memory corruption and elevation of privilege vulnerabilities.
Two kernel updates, both rated important in severity, also merit some attention. MS16-150 patches a privilege escalation vulnerability that could allow an attacker to violate Virtual Trust Levels, an isolation and exploit mitigation feature. Microsoft said Windows Secure Kernel Mode fails to handle objects in memory properly, and a local attacker could run a crafted application on a targeted system to exploit the flaw.
“We’re increasingly using software defined controls like virtualization for segmentation and isolation of workloads, applications, and data,” said Bobby Kuzma, Core Security systems engineer. “As these capabilities become a core aspect of the operating systems architecture, it deserves increased scrutiny of research into bypasses for those mitigations.”
MS16-152 patches a kernel level information disclosure vulnerability which is triggered because of the way the Windows kernel handles certain page fault system calls. A local attacker would need to be authenticated to carry out this attack, but could force the vulnerable system to disclose information from one process to another, Microsoft said.
“Remote code execution exploits require information on the relative location of different constructs in memory. Technologies that randomize that layout serve to make the attackers job harder. A successful modern RCE requires two vulnerabilities: one to leak information on where the parts an attacker needs to overwrite, and a second to do the actual overwrite in memory that leads to the code execution,” Kuzma said. “By closing off a potential information disclosure vulnerability, that removes it from contention for attackers down the road, making for a more hardened attack surface.”
Microsoft also patched a .NET vulnerability it rates as important in severity that has also been publicly disclosed. MS16-155 affects .NET 4.6.2 Framework’s Data Provider for SQL Server. An exploit could allow an attacker to access information protected by the Always Encrypted feature, Microsoft said.
The remaining vulnerabilities were rated important by Microsoft:
- MS16-149 patches an information disclosure and elevation of privileges vulnerability in Windows Crypto Driver and Windows Installer, respectively.
- MS16-151 patches two elevation of privilege flaws in Windows Kernel-Mode Drivers.
- MS16-153 patches a single information disclosure vulnerability in the Windows Common Log File System Driver.