No Glad Tidings In Microsoft’s Final Patch Tuesday Of 2015

Microsoft has delivered its final Patch Tuesday update for 2015 that includes an average number of bulletins, but a higher than normal number rated as critical.

Redmond delivered a total of 12 bulletins, eight of which are critical bulletins including one that fixes a zero-day vulnerability, currently in use by attackers to escalate privileges in Windows.

Record Year

It has been a busy year for Microsoft on the security side, with Qualys CTO, Wolfgang Kandek pointing to the growing security awareness in today’s worsening threat landscape.

“In total we had 135 bulletins from Microsoft in 2015, which is a significant increase from last year,” wrote Kandek in a blog posting. “New products by Microsoft only explain a small part of this increase – the majority of the increase is due to new parts of the Windows ecosystem that are being investigated for the first time, a tendency that shows how much more important computer security has become over the years.”

Qualys’s Kandek said that December’s Patch Tuesday is about average, but does seem to include a bit more severity in the bulletins than usual.

And he pointed out that the growing number of patches for zero-day exploits indicates the “growing technical capabilities of attackers,” meaning that IT managers need to not only patch their systems promptly, but also seek “additional robustness.”

The most pressing patch is MS15-135, which addresses a zero-day vulnerability in the Windows kernel. The second highest priority is MS115-131 for Microsoft Office, which is critical, which Kandek says is rare for Office bulletins, and means a “vector exists to abuse the vulnerability with no user interaction.”

His next priority is MS15-127 – a server side vulnerability in Microsoft DNS server, which is “quite a rare find.” The next critical vulnerability is in the Windows Graphics system (MS15-128), which has font handling problem. The remaining critical vulnerabilities are in Silverlight (MS15-129) and Uniscribe (MS15-130).

Kandek also pointed to a new version of Flash from Adobe (APSB15-32), which addresses a record number of 78 vulnerabilities.

Christmas Cheer

The December Microsoft Path Tuesday is upon us and it does not bring any happy tidings,” commented Karl Sigler, Threat Intelligence Manager at Trustwave.

“Across the board there are 58 individual CVEs, one of the largest releases all year,” said Sigler. “The large majority resides in Internet Explorer and Edge, which is probably to be expected at this point. This release also patches multiple remote code execution vulnerabilities in the Windows VBScript scripting engine, Microsoft Graphics Component (more font vulnerabilities), Microsoft Uniscribe, Microsoft Silverlight, Microsoft Office and Microsoft Windows DNS.

Sigler said that attention should really be paid to the last one (Microsoft Windows DNS), as it could give the attacker the ability to remotely execute arbitrary code in the context of the Local System Account.

“If there’s a silver lining here, it’s that January has historically been a very light on bulletins, so admins may get a break to recover next month,” concluded Sigler. “In the meantime put down the cookies and eggnog, you’ve got some critical patching to do.”

What do you know about Windows 10? Try our quiz!