This is the second round of cumulative updates for Windows 7 and 8.x systems following Microsoft's announcement to use the Windows 10 patch roll-up approach for all desktop systems. With 14 bulletins for this November Patch Tuesday, Microsoft has updated Windows and Office and has also had to wrap another Adobe Flash Player update to manage two zero-day exploits. Six updates have been rated as critical and the remaining eight are rated as important, together covering a total of 68 vulnerabilities, three with public disclosures.
Shavlik has helpfully created this month's Patch Tuesday infographic and has also added some useful narrative on the upcoming Google and Oracle updates.
MS16-129 -- Critical
Microsoft updates Edge this month with MS16-129 in an attempt to resolve 17 vulnerabilities, one of which has been publicly disclosed. These vulnerabilities primarily relate to memory corruption issues -- if left un-patched they could lead to a remote execution scenario. Given the high number of serious exploits addressed in this update, this a "Patch Now" update for Edge.
MS16-130 -- Critical
MS16-130 represents the Windows security roll-up update for all currently supported Windows platforms. This patch addresses three privately reported vulnerabilities in two Windows components: the task scheduler and the Input Method Editor (IME). While this update is very large, the primary focus is on the Windows Multi-User Interface (MUI) components. If you are supporting Japanese or Chinese character sets, then you will need to test your language packs against this update. Otherwise, add this update to your standard patch deployment cycle.
MS160-131 -- Critical
MS16-131 addresses a single privately reported vulnerability in the Windows Video control component, that could lead to a remote code execution scenario. Normally, these types of patches which focus solely on a single component can be fast tracked to deployment due to their reduced testing profile. Unfortunately, this patch updates a single file -- Win32k.sys -- which happens to be one of the core system components for all Windows desktop platforms. This update will require a core systems test prior to deployment.
MS16-132 -- Critical
MS16-132 attempts to resolve four privately reported vulnerabilities in the Microsoft Graphics component, which if left unpatched could lead to a remote code execution scenario. This update affects all currently supported Windows platforms (desktop and server) and it appears that OpenType fonts are the cause for concern. We have seen several updates that deal with font issues in the past. Given, the number of repeated attempts to fix these issues, this update should include a "core application" testing regime prior to full production deployment.
MS16-141 -- Critical
MS16-141 is the Microsoft wrapper for the Adobe Flash Player update APSB16-37, which attempts to resolve nine privately reported vulnerabilities that could lead to a remote code execution scenario. Both Microsoft and Adobe have provided some mitigation strategies to the reduce the risk of these vulnerabilities, but the one true solution is for everyone to stop using Adobe Flash Player. Add this update to your "Patch Now" release cycle.
MS16-142 -- Critical
MS16-142 attempts to address seven vulnerabilities in Internet Explorer (versions 9, 10 and 11). Unfortunately, one of these vulnerabilities has been publicly disclosed and is considered a "zero-day" exploit. This is a "Patch Now" update.
MS16-133 -- Important
MS16-133 addresses twelve privately reported vulnerabilities in Microsoft Office that could lead to a remote code execution scenario. This patch appears to replace two previous memory corruption related updates posted by Microsoft earlier this year. Both MS16-107 and MS16-121 did not appear to cause any major issues, and so I think that we can add this latest iteration to your standard patch deployment effort.
MS16-134 -- Important
MS16-134 addresses ten privately reported vulnerabilities in the Windows Common Log driver that could lead to an elevation of privilege security scenario. Although this update appears to have a narrow focus, the patch manifest (its list of updated files) is quite broad. This update will require general testing before general deployment.
MS16-135 -- Important
MS16-135 addresses ten vulnerabilities in the key Windows component Win32k.sys. I believe that Microsoft has assigned this update an important rating because the worst-case security scenario is an elevation of privilege attack on a compromised system. However, as one of these vulnerabilities has been publicly disclosed, add this update to your "Patch Now" list.
MS16-136 -- Important
MS16-136 addresses six privately reported vulnerabilities in Microsoft SQL Server that could lead to an elevation of privilege scenario. This update applies to SQL Server 2012 (SPx), 2014 and SQL Server 2016. Add this update to your standard patch deployment effort.
MS16-137 -- Important
MS16-137 represents Microsoft's general security update in this month's patch cycle and addresses three privately reported vulnerabilities that could lead to an elevation of privilege scenario. This update applies to all currently supported Windows platforms and should be added to your standard patch deployment schedule.
MS16-138 -- Important
MS16-138 addresses four privately reported vulnerabilities in the Microsoft Virtual Hard Disk Driver (VHD) which could lead to an elevation of privilege scenario if unpatched. This update will be included in the November Security only cumulative roll-up. Add this patch to your standard deployment effort.
MS16-139 -- Important
MS16-139 addresses a single, privately reported, difficult to exploit vulnerability in the Windows kernel that affects all currently supported versions of Windows. This patch is a component of the November Security Quality roll-up patch that updates a significant number of key system files. Testing this security roll-up against your core builds and key line of business applications should be a priority.
MS16-140 -- Important
MS16-140 is another key component of this month's security update and addresses a single privately reported vulnerability in the Windows Boot Manager that could lead to security feature bypass in a compromised systems boot process. Add this update to your monthly security cumulative update roll-out.
This article is published as part of the IDG Contributor Network. Want to Join?