Microsoft kicked off election day on Tuesday with a hefty patch load for IT administrators – 14 security updates, six of them ‘critical’ and eight rated ‘important’.
Probably the highest profile vulnerability fixed this month was CVE-2016-7255, a local privilege escalation bug being actively exploited in the wild in concert with Adobe Flash vulnerability CVE-2016-7855 which has also now been patched.
There was controversy surrounding the Google researchers’ disclosure of the former flaw before Microsoft had time to patch it. However, because it was being actively exploited, Google felt it appropriate to shorten its usual 60-day time-to-disclosure window to a week.
Trustwave threat intelligence manager, Karl Sigler, agreed with Google’s stance.
“Here at Trustwave we have a similar policy. If people are being actively exploited due to buggy code in your software then I think [giving Microsoft] a week before disclosing those details is more than fair,” he explained in a blog post. “Even without a vendor patch, detailed technical guidance can provide work-arounds like software to disable or Indicators of Compromise (IoCs) to monitor for.”
Elsewhere, MS16-129 is a critical update for Edge fixing 17 bugs, MS16-130 fixes three critical flaws in Windows, MS16-131 patches a critical RCE bug in the Video Control, and MS16-132 does the same for the Microsoft Graphics Component.
MS16-133 is rated only as ‘important’ but should also be treated urgently, according to Qualys’ director of vulnerability labs, Amol Sarwate.
“Microsoft office bulletin MS16-133 contains fixes for 10 vulnerabilities that could allow attackers to take complete control of the system,” he explained.
“In addition to these 10 fixes there is an information disclosure as well as a denial-of-service i.e crash which was fixed. Since office documents are prevalent in typical corporate environment I think this bulletin should be treated as critical even if it is rated as ‘important’.”