November Patch Tuesday: From Science Fiction to Fact

Old School Macros Finally Get Blocked

Today Microsoft have released 14 bulletins in total of which 6 are rated Critical and 8 are rated Important. Last week Microsoft also released 25 KB updates covering Office version 2010, 2013 and 2016.

Full details of that release can be found here. A couple months back we observed a trend where new age hackers were using old school techniques to expose a vulnerability in a system and to use that vulnerability to exploit malicious attacks. One of the newest features of Microsoft Office 2016 allows enterprise administrators to block users from running Macros inside Office documents that have originated from the Internet.It does appear that Microsoft have also witnessed this trend and have made changes in order to protect their customers. We have also just learned that shortly they will be downgrading that functionality to Office 2013 enabling the same security to work in the same way it does in Office 2016. Robert Brown, Director of Services for Verismic says, “It’s great Microsoft are listening to their customers and their concerns.”

Office 2013 still has a massive market share with customers either unwilling or unable to upgrade quickly, offering this safety feature to Office 2013 will enable those customers to plan their upgrades properly and without the immediate urgency.

Microsoft are also adding detections for the BrowserModifier:Win32/Soctuseer rootkit in this month’s security release, helping to lessen interference to your browsing experience. No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT). We recommend our customers include this security update this within their monthly patching process, especially since it has been reported this month that one in three cyberattacks result in a security breach.

Twitter and Spotify “Dynied”

Shopping and social media sites were hit with a massive DDoS attack last week which caused three of the big names to be taken offline. Well known social media site Twitter and music sharing site Spotify are among the big names affected with many more suffering service disruptions. The focus of this attack was a company called Dyn who provide internet traffic to company websites as a service. It is believed by security analysts that the attack vector used “internet of things” as its way in.

For those not familiar, the internet of things or IoT is a term used to describe any user device which connects to the internet. Today’s IoT can be washing machines, heating controllers, IP CCTV, cars and even wireless baby monitors. Dyn provide a DNS service to large companies and was attacked using millions of devices commonly known as “bots” (unbeknown to the end user) on a “botnet” which were all infected with the “Mirai” malware.

The majority of these attacks originate in Asia and this DDoS was one was one of the largest out of China this year. Miari is a nasty little bug that trawls web for IoT devices with little or no protection and pre-set factory default access credentials. Once discovered, Mairi enlists the devices into its own botnet and proceeds to bombard targets with an overwhelming amount of requests / messages designed to overload the system and bring the website down. Cyber security expert Brian Krebs knows about this kind of attack all too well. A DDoS attack was launched on his site back in September with data overloads reaching 620 gigabits per second at its peak.James Rowney, Verismic Services Manager, commented “Attacks like these have been written into science fiction horror for decades, this is no longer science fiction, this is science fact. Be extra vigilant with your IT security.”

Set all network connected devices to use secure UserID and passwords, this is the first step to protecting yourself from being exploited in this manner.. If possible try to disconnect or power off devices that are not in use, might save you some electricity too!”START FREE TRIAL

Microsoft Updates

This month to help your IT Security Officers we have chosen a few updates from the Microsoft Patch Tuesday to prioritize this month. This recommendation has been made using evidence from industry experts (including our own), anticipated business impact and most importantly the independent CVSS score for the vulnerability.

MS16-129 – The update addresses the vulnerabilities by modifying how Microsoft browsers handles objects in memory, changing how the XSS filter in Microsoft browsers handle RegEx, modifying how the Chakra JavaScript scripting engine handles objects in memory and correcting how Microsoft Edge parses HTTP responses. This vulnerability has been publicly disclosed.

MS16-130 – The security update addresses the vulnerabilities by correcting how the Windows Input Method Editor (IME) loads DLLs requiring hardened UNC paths be used in scheduled tasks

MS16-132 – This update is actively being exploited which is why we recommend this be deployed as a priority this month. The security update addresses the vulnerabilities by correcting how the ATMFD component, the Windows Animation Manager, and the Windows Media Foundation handle objects in memory.

MS16-135 – Although this update is only marked as Important, the CVSS score tells us otherwise. It is also publically disclosed and has active exploits. We believe this should also be your priority this month.

The independent CVSS scores used in the table below range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.

Bulletin ID Description Impact Restart Requirement Publically Disclosed Exploited Severity CVSS Score
MS16-129 Cumulative Security Update for Microsoft Edge (3199057)

This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

Remote Code Execution Yes Yes No Critical 9.3
MS16-130 Security Update for Microsoft Windows (3199172)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a locally authenticated attacker runs a specially crafted application.

Remote Code Execution Yes No No Critical 9.3
MS16-131 Security Update for Microsoft Video Control (3199151)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

Remote Code Execution Yes No No Critical 9.3
MS16-132 Security Update for Microsoft Graphics Component (3199120)
This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.
Remote Code Execution Yes No Yes Critical 9.3
MS16-133 Security Update for Microsoft Office (3199168)

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution Maybe No No Important 9.3
MS16-134 Security Update for Common Log File System Driver (3193706)

This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.

 

Elevation of Privilege Yes No No Important 7.2
MS16-135 Security Update for Windows Kernel-Mode Drivers (3199135)

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

 

Elevation of Privilege Yes Yes Yes Important 7.2
MS16-136 Security Update for SQL Server (3199641)

This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow an attacker could to gain elevated privileges that could be used to view, change, or delete data; or create new accounts. The security update addresses these most severe vulnerabilities by correcting how SQL Server handles pointer casting.

 

Elevation of Privilege Maybe No No Important 9.0
MS16-137 Security Update for Windows Authentication Methods (3199173)

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator. The attacker could then install programs; view, change or delete data; or create new accounts. The attacker could subsequently attempt to elevate by locally executing a specially crafted application designed to manipulate NTLM password change requests.

 

Elevation of Privilege Yes No No Important 7.2
MS16-138 Security Update to Microsoft Virtual Hard Disk Driver (3199647)

This security update resolves vulnerabilities in Microsoft Windows. The Windows Virtual Hard Disk Driver improperly handles user access to certain files. An attacker could manipulate files in locations not intended to be available to the user by exploiting this vulnerability.

 

Elevation of Privilege Yes No No Important NA
MS16-139 Security Update for Windows Kernel (3199720)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.

 

Elevation of Privilege Yes No No Important 7.2
MS16-140 Security Update for Boot Manager (3193479)

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a physically-present attacker installs an affected boot policy.

 

Security Feature Bypass Yes No No Important 1.7
MS16-141 Security Update for Adobe Flash Player (3202790)

This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

 

Remote Code Execution Yes NA NA Critical NA
MS16-142 Cumulative Security Update for Internet Explorer (3198467)

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

Remote Code Execution Yes Yes No Critical 9.3

START YOUR FREE TRIAL OF SYXSENSE

Get Started

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.