Patch Tuesday November 2016: Microsoft Fixes Flaw Controversially Outed By Google

Microsoft’s Patch Tuesday fixes a zero-day flaw that is being exploited in the wild by a hacker group called Strontium, a group allegedly linked to senior Russian officials.

November’s security update is a fairly large one with 14 security bulletins, six of which are critical and eight rated as important.

Some may feel the top priority for IT managers is MS16-135, which fixes a vulnerability that was disclosed by Google in a controversial manner late last month. Microsoft was left fuming after Google gave Redmond just six days to patch it before it went public.

Google Controversy

Google justified its actions saying it normally gave software vendors extensions to its 60-day disclosure period if they say they’re working on a patch, but that doesn’t apply to bugs being actively exploited, which get only seven days.

That vulnerability was being exploited by Strontium hackers, the same group that US intelligence officials last month officially blamed for recent politically motivated hacking incidents, including the release of emails stolen from the Democratic National Committee (DNC).

“The November Patch Tuesday is here and it’s a big one with 14 bulletins covering 68 unique CVEs,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave. “Despite the large volume of patches, this patch cycle still promises to be less painful than Election Day here in the USA.

“Over all we have six bulletins rated Critical and eight rated Important. The Critical bulletins affect the usual suspects like Internet Explorer and Edge, GDI and Adobe Flash, but several components we rarely see also make an appearance including remote code execution vulnerabilities in Microsoft Video Control and Microsoft Windows core OS.”

Patch Breakdown

“November Patch Tuesday is forced to share the spotlight this month,” said Todd Schell, Product Manager at Heat Software.

“It’s Election Day in the US and likely on the minds of most people. However, Microsoft also released 14 security updates today, 6 of which are rated critical. Thankfully, there is just one active exploit on an older version of Windows this month so once you’ve cast your vote, make sure to apply these updates.”

Schell thinks that browser updates should be the top priority for IT teams.

“MS16-129 is a critical, cumulative update for Edge. It addresses 17 unique CVEs, the most troublesome being the possibility of a remote code execution if a user views a malicious webpage while using Edge,” said Schell. “Internet Explorer users also have a critical, cumulative update in MS16-142 which could also result in a remote code execution when successfully exploited.”

Meanwhile MS16-141 is a critical update for Adobe Flash Player when installed on latter versions of Windows.

MS16-130 is a critical update for almost all versions of Windows, both desktop and server applications.

What do you know about Internet security? Find out with our quiz!