Happy December! In this last Patch Tuesday installment for 2016, Microsoft released 12 security bulletins which brings the 2016 yearly count to 155. This is about 15% higher than last year. Out of more than 3 billion scans that Qualys performs each year we saw an increase of about 20% in the total number of Microsoft vulnerabilities. This increase can be attributed to an increase in the volume of scanning and to the 15% increase in number of Microsoft bulletins. But the year is not over and I will come up with the normalized number after the year ends.
Out of the 12 Patch Tuesday security bulletins for today, which includes one for Adobe, half are assigned a Critical rating while the other half are important.
Starting with browsers, the Internet Explorer update MS16-144 fixes 3 vulnerabilities (CVE-2016-7282, CVE-2016-7281, CVE-2016-7202) that were publicly disclosed before the availability of the patch today. If MS16-144 is left unpatched an attacker can take complete control of the victim’s machine. The Edge update MS16-145 also fixes 3 other vulnerabilities (CVE-2016-7206, CVE-2016-7282, CVE-2016-7281) that were publicly disclosed before availability of the patch today. The remote code execution issue can be exploited if the victim opens a malicious webpage.
Microsoft office bulletin MS16-148 is also critical as it’s a remote code execution issue, and victims can be compromised without any user interaction due to the preview panel. This typically happens when the Outlook preview panel tries to render e-mail content after receiving a malicious mail. Another attack scenario involves user interaction when victims open malicious office attachments.
Security bulletins MS16-146 and MS-147 affect the graphic libraries and uniscribe. Both can be compromised if users visit a malicious website hosted by an attacker. Both issues are marked critical as they allow full control to the attacker after successful exploitation. The .NET update MS16-155 fixes a vulnerability which was publicly disclosed before availability of the patch today. It allows attacker to access information that should be defended by the .NET Always Encrypted feature.
The remaining bulletins today are important and can lead to information disclosure or elevation of privileges if the attacker already has valid credentials.
Overall Microsoft ended 2016 with about 15% increase in the number of security bulletins. Across the industry we see the total number of unpatched Microsoft vulnerabilities increase by about 20%.